From 447589f11e1a406c3a97d1ff8fbcdba788734a01 Mon Sep 17 00:00:00 2001 From: Nick Owens Date: Fri, 20 Nov 2015 13:56:25 -0800 Subject: [PATCH] sys-kernel/coreos-sources: bump to 4.3.0 --- .../sys-kernel/coreos-sources/Manifest | 3 +- .../coreos-sources-4.2.2-r2.ebuild | 38 ------------ .../coreos-sources-4.3.0.ebuild | 41 +++++++++++++ ...turn-value-of-switchdev_port_fdb_dum.patch | 39 ------------- ...-runtime-if-the-kernel-enforces-modu.patch | 44 -------------- ...ure-boot-if-shim-is-in-insecure-mode.patch | 58 ------------------- .../0001-Add-secure_modules-call.patch} | 10 ++-- ...-access-when-module-security-is-ena.patch} | 8 +-- ...port-access-when-module-security-is.patch} | 6 +- ...-ACPI-Limit-access-to-custom_method.patch} | 6 +- ...-debugfs-interface-when-module-load.patch} | 6 +- ...and-dev-kmem-when-module-loading-is.patch} | 6 +- ...rsdp-kernel-parameter-when-module-l.patch} | 12 ++-- ...-runtime-if-the-kernel-enforces-modu.patch | 39 +++++++++++++ ...access-when-module-loading-is-restr.patch} | 6 +- ...omatically-enforce-module-signature.patch} | 28 ++++----- ...CURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch} | 10 ++-- .../0012-efi-Add-EFI_SECURE_BOOT-bit.patch} | 10 ++-- ...ble-in-a-signed-modules-environment.patch} | 6 +- ...copy-up-security-hooks-for-unioned-.patch} | 16 ++--- ...verlayfs-Use-copy-up-security-hooks.patch} | 8 +-- ...16-SELinux-Stub-in-copy-up-handling.patch} | 12 ++-- ...ux-Handle-opening-of-a-unioned-file.patch} | 12 ++-- ...inst-union-label-for-file-operation.patch} | 12 ++-- ...-wl18xx-Add-missing-MODULE_FIRMWARE.patch} | 10 ++-- ...-a-minimal-buffer-in-ovl_copy_xattr.patch} | 8 +-- ...ev-fix-return-code-of-fdb_dump-stub.patch} | 12 ++-- 27 files changed, 183 insertions(+), 283 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.2.2-r2.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.3.0.ebuild delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/0021-switchdev-fix-return-value-of-switchdev_port_fdb_dum.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/01-Add-secure_modules-call.patch => 4.3/0001-Add-secure_modules-call.patch} (87%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch => 4.3/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch} (95%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/03-x86-Lock-down-IO-port-access-when-module-security-is.patch => 4.3/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch} (93%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/04-ACPI-Limit-access-to-custom_method.patch => 4.3/0004-ACPI-Limit-access-to-custom_method.patch} (87%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch => 4.3/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch} (91%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch => 4.3/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch} (89%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch => 4.3/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch} (78%) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch => 4.3/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch} (89%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/10-Add-option-to-automatically-enforce-module-signature.patch => 4.3/0010-Add-option-to-automatically-enforce-module-signature.patch} (90%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch => 4.3/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch} (77%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/13-efi-Add-EFI_SECURE_BOOT-bit.patch => 4.3/0012-efi-Add-EFI_SECURE_BOOT-bit.patch} (84%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/14-hibernate-Disable-in-a-signed-modules-environment.patch => 4.3/0013-hibernate-Disable-in-a-signed-modules-environment.patch} (88%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/overlayfs/0001-Security-Provide-copy-up-security-hooks-for-unioned-.patch => 4.3/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch} (93%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/overlayfs/0002-Overlayfs-Use-copy-up-security-hooks.patch => 4.3/0015-Overlayfs-Use-copy-up-security-hooks.patch} (88%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/overlayfs/0003-SELinux-Stub-in-copy-up-handling.patch => 4.3/0016-SELinux-Stub-in-copy-up-handling.patch} (85%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/overlayfs/0004-SELinux-Handle-opening-of-a-unioned-file.patch => 4.3/0017-SELinux-Handle-opening-of-a-unioned-file.patch} (93%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/overlayfs/0005-SELinux-Check-against-union-label-for-file-operation.patch => 4.3/0018-SELinux-Check-against-union-label-for-file-operation.patch} (80%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch => 4.3/0019-net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch} (72%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/overlayfs/0006-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch => 4.3/0020-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch} (91%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.2/0022-net-switchdev-fix-return-code-of-fdb_dump-stub.patch => 4.3/0021-net-switchdev-fix-return-code-of-fdb_dump-stub.patch} (77%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index 42b5577e29..2146efa517 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1 @@ -DIST linux-4.2.tar.xz 85507784 SHA256 cf20e044f17588d2a42c8f2a450b0fd84dfdbd579b489d93e9ab7d0e8b45dbeb SHA512 a87bbce3c0c6d810a41bbba1c0dcaae80dc38dded9f8571e97fa4ee5a468d655daf52d260911412f7c7da3171a5114e89d63da14b1753b9a3eb2cc38fd89b9ee WHIRLPOOL 2058e664ee287cc03119ff3dd0155b7018b9c789a13a1012f190e516172f845dcb2d977c8e6a6951e9bd720e5e8cdfa3b888cce392c9b02780520e77475870d0 -DIST patch-4.2.2.xz 82480 SHA256 8b4578f1e1dcfbef1e39c39b861d4715aa99917af0b7c2dc324622d65884dcb5 SHA512 b37c71cb46cdbf3b7d2dac84ebf3e09d4e5e2433b150078e0e40ea881296401954b359d7bba6e9358957260cb0ccabafc0579feaef19c949d02ac9cfb48a3002 WHIRLPOOL 011d18a6099c75e0eb6de3d863089704ca811dfefafa0d92864dc8702566cd0776d2491fa2c3f17c50e76eb9e394d1ff4926b07e1f534af513293092c4e65c4d +DIST linux-4.3.tar.xz 86920812 SHA256 4a622cc84b8a3c38d39bc17195b0c064d2b46945dfde0dae18f77b120bc9f3ae SHA512 d25812043850530fdcfdb48523523ee980747f3c2c1266149330844dae2cba0d056d4ddd9c0f129f570f5d1f6df5c20385aec5f6a2e0755edc1e2f5f93e2c6bc WHIRLPOOL e3f131443acc14d4f67bbd3f4e1c57af3d822c41c85a112564d54667a591c8619dce42327fd8166d30a2d7adfaf433c2e2134d4995c91c08f65ac0cc2190f935 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.2.2-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.2.2-r2.ebuild deleted file mode 100644 index e47c3c4b81..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.2.2-r2.ebuild +++ /dev/null @@ -1,38 +0,0 @@ -# Copyright 2014 CoreOS, Inc. -# Distributed under the terms of the GNU General Public License v2 - -EAPI="5" -ETYPE="sources" -inherit kernel-2 -detect_version - -DESCRIPTION="Full sources for the CoreOS Linux kernel" -HOMEPAGE="http://www.kernel.org" -SRC_URI="${KERNEL_URI}" - -KEYWORDS="amd64 arm64" -IUSE="" - -PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" -UNIPATCH_LIST="${PATCH_DIR}/01-Add-secure_modules-call.patch \ -${PATCH_DIR}/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ -${PATCH_DIR}/03-x86-Lock-down-IO-port-access-when-module-security-is.patch \ -${PATCH_DIR}/04-ACPI-Limit-access-to-custom_method.patch \ -${PATCH_DIR}/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ -${PATCH_DIR}/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ -${PATCH_DIR}/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ -${PATCH_DIR}/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ -${PATCH_DIR}/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ -${PATCH_DIR}/10-Add-option-to-automatically-enforce-module-signature.patch \ -${PATCH_DIR}/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ -${PATCH_DIR}/13-efi-Add-EFI_SECURE_BOOT-bit.patch \ -${PATCH_DIR}/14-hibernate-Disable-in-a-signed-modules-environment.patch \ -${PATCH_DIR}/overlayfs/0001-Security-Provide-copy-up-security-hooks-for-unioned-.patch \ -${PATCH_DIR}/overlayfs/0002-Overlayfs-Use-copy-up-security-hooks.patch \ -${PATCH_DIR}/overlayfs/0003-SELinux-Stub-in-copy-up-handling.patch \ -${PATCH_DIR}/overlayfs/0004-SELinux-Handle-opening-of-a-unioned-file.patch \ -${PATCH_DIR}/overlayfs/0005-SELinux-Check-against-union-label-for-file-operation.patch \ -${PATCH_DIR}/overlayfs/0006-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch \ -${PATCH_DIR}/net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch \ -${PATCH_DIR}/0021-switchdev-fix-return-value-of-switchdev_port_fdb_dum.patch \ -${PATCH_DIR}/0022-net-switchdev-fix-return-code-of-fdb_dump-stub.patch" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.3.0.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.3.0.ebuild new file mode 100644 index 0000000000..2c76836baf --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.3.0.ebuild @@ -0,0 +1,41 @@ +# Copyright 2014 CoreOS, Inc. +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" +ETYPE="sources" +inherit kernel-2 +detect_version + +DESCRIPTION="Full sources for the CoreOS Linux kernel" +HOMEPAGE="http://www.kernel.org" +SRC_URI="${KERNEL_URI}" + +KEYWORDS="amd64 arm64" +IUSE="" + +PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" +# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g' +UNIPATCH_LIST=" + ${PATCH_DIR}/0001-Add-secure_modules-call.patch \ + ${PATCH_DIR}/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ + ${PATCH_DIR}/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \ + ${PATCH_DIR}/0004-ACPI-Limit-access-to-custom_method.patch \ + ${PATCH_DIR}/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ + ${PATCH_DIR}/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ + ${PATCH_DIR}/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ + ${PATCH_DIR}/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ + ${PATCH_DIR}/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ + ${PATCH_DIR}/0010-Add-option-to-automatically-enforce-module-signature.patch \ + ${PATCH_DIR}/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ + ${PATCH_DIR}/0012-efi-Add-EFI_SECURE_BOOT-bit.patch \ + ${PATCH_DIR}/0013-hibernate-Disable-in-a-signed-modules-environment.patch \ + ${PATCH_DIR}/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch \ + ${PATCH_DIR}/0015-Overlayfs-Use-copy-up-security-hooks.patch \ + ${PATCH_DIR}/0016-SELinux-Stub-in-copy-up-handling.patch \ + ${PATCH_DIR}/0017-SELinux-Handle-opening-of-a-unioned-file.patch \ + ${PATCH_DIR}/0018-SELinux-Check-against-union-label-for-file-operation.patch \ + ${PATCH_DIR}/0019-net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch \ + ${PATCH_DIR}/0020-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch \ + ${PATCH_DIR}/0021-net-switchdev-fix-return-code-of-fdb_dump-stub.patch \ +" + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/0021-switchdev-fix-return-value-of-switchdev_port_fdb_dum.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/0021-switchdev-fix-return-value-of-switchdev_port_fdb_dum.patch deleted file mode 100644 index ff0051b71f..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/0021-switchdev-fix-return-value-of-switchdev_port_fdb_dum.patch +++ /dev/null @@ -1,39 +0,0 @@ -From a380cc22a956afb1370cf8f4c6708a25b2d6d1f5 Mon Sep 17 00:00:00 2001 -From: Jiri Pirko -Date: Thu, 3 Sep 2015 14:04:17 +0200 -Subject: [PATCH 21/22] switchdev: fix return value of switchdev_port_fdb_dump - in case of error - -switchdev_port_fdb_dump is used as .ndo_fdb_dump. Its return value is -idx, so we cannot return errval. - -Fixes: 45d4122ca7cd ("switchdev: add support for fdb add/del/dump via switchdev_port_obj ops.") -Signed-off-by: Jiri Pirko -Acked-by: Sridhar Samudrala -Acked-by: Scott Feldman -Signed-off-by: David S. Miller ---- - net/switchdev/switchdev.c | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - -diff --git a/net/switchdev/switchdev.c b/net/switchdev/switchdev.c -index 9f2add3..6a566cd 100644 ---- a/net/switchdev/switchdev.c -+++ b/net/switchdev/switchdev.c -@@ -853,12 +853,8 @@ int switchdev_port_fdb_dump(struct sk_buff *skb, struct netlink_callback *cb, - .cb = cb, - .idx = idx, - }; -- int err; -- -- err = switchdev_port_obj_dump(dev, &dump.obj); -- if (err) -- return err; - -+ switchdev_port_obj_dump(dev, &dump.obj); - return dump.idx; - } - EXPORT_SYMBOL_GPL(switchdev_port_fdb_dump); --- -2.4.6 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch deleted file mode 100644 index 83aceefded..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 9b3e6387aadd3baa76e5c1abd7c9071b4871885a Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Fri, 9 Aug 2013 03:33:56 -0400 -Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module - loading restrictions - -kexec permits the loading and execution of arbitrary code in ring 0, which -is something that module signing enforcement is meant to prevent. It makes -sense to disable kexec in this situation. - -Signed-off-by: Matthew Garrett ---- - kernel/kexec.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/kernel/kexec.c b/kernel/kexec.c -index a785c10..81d6b40 100644 ---- a/kernel/kexec.c -+++ b/kernel/kexec.c -@@ -36,6 +36,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -1258,6 +1259,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, - return -EPERM; - - /* -+ * kexec can be used to circumvent module loading restrictions, so -+ * prevent loading in that case -+ */ -+ if (secure_modules()) -+ return -EPERM; -+ -+ /* - * Verify we have a legal set of flags - * This leaves us room for future extensions. - */ --- -2.4.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch deleted file mode 100644 index 8cdf96130b..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 4095f969830267114c73cbef05fc3b984f34bc34 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Tue, 5 Feb 2013 19:25:05 -0500 -Subject: [PATCH 11/14] efi: Disable secure boot if shim is in insecure mode - -A user can manually tell the shim boot loader to disable validation of -images it loads. When a user does this, it creates a UEFI variable called -MokSBState that does not have the runtime attribute set. Given that the -user explicitly disabled validation, we can honor that and not enable -secure boot mode if that variable is set. - -Signed-off-by: Josh Boyer ---- - arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 03bfc83..1e80f3a 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -830,8 +830,9 @@ out: - - static int get_secure_boot(void) - { -- u8 sb, setup; -+ u8 sb, setup, moksbstate; - unsigned long datasize = sizeof(sb); -+ u32 attr; - efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; - efi_status_t status; - -@@ -855,6 +856,23 @@ static int get_secure_boot(void) - if (setup == 1) - return 0; - -+ /* See if a user has put shim into insecure_mode. If so, and the variable -+ * doesn't have the runtime attribute set, we might as well honor that. -+ */ -+ var_guid = EFI_SHIM_LOCK_GUID; -+ status = efi_early->call((unsigned long)sys_table->runtime->get_variable, -+ L"MokSBState", &var_guid, &attr, &datasize, -+ &moksbstate); -+ -+ /* If it fails, we don't care why. Default to secure */ -+ if (status != EFI_SUCCESS) -+ return 1; -+ -+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { -+ if (moksbstate == 1) -+ return 0; -+ } -+ - return 1; - } - --- -2.4.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/01-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0001-Add-secure_modules-call.patch similarity index 87% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/01-Add-secure_modules-call.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0001-Add-secure_modules-call.patch index c0c33617f1..72b6f9cbe6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/01-Add-secure_modules-call.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0001-Add-secure_modules-call.patch @@ -1,7 +1,7 @@ -From 6067a76dca90f315916621a657a8a6379b1d0c3b Mon Sep 17 00:00:00 2001 +From f4b4e6d9d747199355a1af3d19b9c6e3883c6f69 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 17:58:15 -0400 -Subject: [PATCH 01/14] Add secure_modules() call +Subject: [PATCH 01/21] Add secure_modules() call Provide a single call to allow kernel code to determine whether the system has been configured to either disable module loading entirely or to load @@ -41,10 +41,10 @@ index 3a19c79..db38634 100644 #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c -index b86b7bf..7f04524 100644 +index 8f051a1..58e636c 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4087,3 +4087,13 @@ void module_layout(struct module *mod, +@@ -4091,3 +4091,13 @@ void module_layout(struct module *mod, } EXPORT_SYMBOL(module_layout); #endif @@ -59,5 +59,5 @@ index b86b7bf..7f04524 100644 +} +EXPORT_SYMBOL(secure_modules); -- -2.4.3 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch similarity index 95% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch index 7e581c8c88..194e5b1901 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch @@ -1,7 +1,7 @@ -From 1d82a694eb7508eef1e25c4c4dfe5e4ae9206454 Mon Sep 17 00:00:00 2001 +From e1479978a5b79f053368c011304e528355b43757 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:10:38 -0500 -Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is +Subject: [PATCH 02/21] PCI: Lock down BAR access when module security is enabled Any hardware that can potentially generate DMA has to be locked down from @@ -18,7 +18,7 @@ Signed-off-by: Matthew Garrett 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 312f23a..93e6ac1 100644 +index 9261868..9e99a3c 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -30,6 +30,7 @@ @@ -114,5 +114,5 @@ index b91c4da..98f5637 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -2.4.3 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/03-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/03-x86-Lock-down-IO-port-access-when-module-security-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch index 19709440bb..0cf17894e4 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/03-x86-Lock-down-IO-port-access-when-module-security-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -1,7 +1,7 @@ -From dcddff58bc08a34053c033131bc800e16210a071 Mon Sep 17 00:00:00 2001 +From b5bb0f89eb70f479b63a188025b607eb221ff68e Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:35:59 -0500 -Subject: [PATCH 03/14] x86: Lock down IO port access when module security is +Subject: [PATCH 03/21] x86: Lock down IO port access when module security is enabled IO port access would permit users to gain access to PCI configuration @@ -68,5 +68,5 @@ index 6b1721f..53fe675 100644 return -EFAULT; while (count-- > 0 && i < 65536) { -- -2.4.3 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/04-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0004-ACPI-Limit-access-to-custom_method.patch similarity index 87% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/04-ACPI-Limit-access-to-custom_method.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0004-ACPI-Limit-access-to-custom_method.patch index ffa30c8d90..5b58bb95ca 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/04-ACPI-Limit-access-to-custom_method.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0004-ACPI-Limit-access-to-custom_method.patch @@ -1,7 +1,7 @@ -From c2c125a4fdabc50a25952e5a81c0fd2b46fde688 Mon Sep 17 00:00:00 2001 +From b56b0339f5f4fa7cc1ed00b9c6f21e811595ae9f Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:39:37 -0500 -Subject: [PATCH 04/14] ACPI: Limit access to custom_method +Subject: [PATCH 04/21] ACPI: Limit access to custom_method custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. @@ -27,5 +27,5 @@ index c68e724..4277938 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -2.4.3 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch index 6f2637aec1..bdc3935aa6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch @@ -1,7 +1,7 @@ -From 9adc395ee42eb155a05fc82ca07cb3d77f19abe6 Mon Sep 17 00:00:00 2001 +From 09ffe104e8f518b7085638480a098f63ca36a346 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:46:50 -0500 -Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module +Subject: [PATCH 05/21] asus-wmi: Restrict debugfs interface when module loading is restricted We have no way of validating what all of the Asus WMI methods do on a @@ -50,5 +50,5 @@ index efbc3f0..071171b 100644 1, asus->debug.method_id, &input, &output); -- -2.4.3 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch similarity index 89% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch index b76c42cb2a..d0f94fa4a7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -1,7 +1,7 @@ -From 2ca28096b959a2f53a3a761426418aea7a4d48f6 Mon Sep 17 00:00:00 2001 +From 3215ee6063f06b407d5f96a7ea3f47b7eb301353 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 09:28:15 -0500 -Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is +Subject: [PATCH 06/21] Restrict /dev/mem and /dev/kmem when module loading is restricted Allowing users to write to address space makes it possible for the kernel @@ -38,5 +38,5 @@ index 53fe675..b52c888 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -2.4.3 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch similarity index 78% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch index 3f5b370220..40b05a7240 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch @@ -1,7 +1,7 @@ -From 9f838b6efbbabccbef59f278c13381c332e5b992 Mon Sep 17 00:00:00 2001 +From 9822ba15eaa928b83bfc8faef740b55b82b309b9 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 25 Jun 2012 19:57:30 -0400 -Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module +Subject: [PATCH 07/21] acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted This option allows userspace to pass the RSDP address to the kernel, which @@ -14,10 +14,10 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 3b8963f..a5ae6a7 100644 +index 739a4a6..9ef2a02 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c -@@ -44,6 +44,7 @@ +@@ -40,6 +40,7 @@ #include #include #include @@ -25,7 +25,7 @@ index 3b8963f..a5ae6a7 100644 #include #include -@@ -255,7 +256,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); +@@ -253,7 +254,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); acpi_physical_address __init acpi_os_get_root_pointer(void) { #ifdef CONFIG_KEXEC @@ -35,5 +35,5 @@ index 3b8963f..a5ae6a7 100644 #endif -- -2.4.3 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch new file mode 100644 index 0000000000..bbd4950c60 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -0,0 +1,39 @@ +From 8b75d9cbe2df89e63af7914534b63717024328fb Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Thu, 19 Nov 2015 18:55:53 -0800 +Subject: [PATCH 08/21] kexec: Disable at runtime if the kernel enforces module + loading restrictions + +kexec permits the loading and execution of arbitrary code in ring 0, which +is something that module signing enforcement is meant to prevent. It makes +sense to disable kexec in this situation. + +Signed-off-by: Matthew Garrett +--- + kernel/kexec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/kexec.c b/kernel/kexec.c +index 4c5edc3..5920ebc 100644 +--- a/kernel/kexec.c ++++ b/kernel/kexec.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #include "kexec_internal.h" + +@@ -129,7 +130,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, + int result; + + /* We only trust the superuser with rebooting the system. */ +- if (!capable(CAP_SYS_BOOT) || kexec_load_disabled) ++ if (!capable(CAP_SYS_BOOT) || kexec_load_disabled || secure_modules()) + return -EPERM; + + /* +-- +2.4.10 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch similarity index 89% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch index 05008e5170..b110a37e4b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch @@ -1,7 +1,7 @@ -From 54cae7b82dc43c871e0cba995d1cf14c5afd7a49 Mon Sep 17 00:00:00 2001 +From c21e00285f2b1c8d860bdc0095e05c73309634a1 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 8 Feb 2013 11:12:13 -0800 -Subject: [PATCH 09/14] x86: Restrict MSR access when module loading is +Subject: [PATCH 09/21] x86: Restrict MSR access when module loading is restricted Writing to MSRs should not be allowed if module loading is restricted, @@ -40,5 +40,5 @@ index 113e707..26c2f83 100644 err = -EFAULT; break; -- -2.4.3 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/10-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0010-Add-option-to-automatically-enforce-module-signature.patch similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/10-Add-option-to-automatically-enforce-module-signature.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0010-Add-option-to-automatically-enforce-module-signature.patch index 9aae975b90..71e6524886 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/10-Add-option-to-automatically-enforce-module-signature.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0010-Add-option-to-automatically-enforce-module-signature.patch @@ -1,7 +1,7 @@ -From 20d26ef5fc1f9686c8ef9965785227b8ce78e159 Mon Sep 17 00:00:00 2001 +From 354ecea4775bda0643a9b2ef5d45e67e046ddb9a Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 18:36:30 -0400 -Subject: [PATCH 10/14] Add option to automatically enforce module signatures +Subject: [PATCH 10/21] Add option to automatically enforce module signatures when in Secure Boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will @@ -21,10 +21,10 @@ Signed-off-by: Matthew Garrett 7 files changed, 69 insertions(+), 1 deletion(-) diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt -index 82fbdbc..a811210 100644 +index 95a4d34..b8527c6 100644 --- a/Documentation/x86/zero-page.txt +++ b/Documentation/x86/zero-page.txt -@@ -30,6 +30,8 @@ Offset Proto Name Meaning +@@ -31,6 +31,8 @@ Offset Proto Name Meaning 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer (below) @@ -34,10 +34,10 @@ index 82fbdbc..a811210 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index b3a1a5d..e6680fb 100644 +index 96d058a..f7494bd 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1704,6 +1704,16 @@ config EFI_MIXED +@@ -1736,6 +1736,16 @@ config EFI_MIXED If unsure, say N. @@ -55,7 +55,7 @@ index b3a1a5d..e6680fb 100644 def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 7d69afd..03bfc83 100644 +index db51c1f..9dd115a 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -12,6 +12,7 @@ @@ -66,7 +66,7 @@ index 7d69afd..03bfc83 100644 #include "../string.h" #include "eboot.h" -@@ -827,6 +828,37 @@ out: +@@ -831,6 +832,37 @@ out: return status; } @@ -116,7 +116,7 @@ index 7d69afd..03bfc83 100644 setup_efi_pci(boot_params); diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index ab456dc..74ba408 100644 +index 3292543..b61f853 100644 --- a/arch/x86/include/uapi/asm/bootparam.h +++ b/arch/x86/include/uapi/asm/bootparam.h @@ -134,7 +134,8 @@ struct boot_params { @@ -130,10 +130,10 @@ index ab456dc..74ba408 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 80f874b..c2e4f52 100644 +index a3cccbf..bddbfa7 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p) +@@ -1135,6 +1135,12 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); @@ -164,10 +164,10 @@ index db38634..4b8df91 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index 7f04524..2b403ab 100644 +index 58e636c..6dd2bb3 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4088,6 +4088,13 @@ void module_layout(struct module *mod, +@@ -4092,6 +4092,13 @@ void module_layout(struct module *mod, EXPORT_SYMBOL(module_layout); #endif @@ -182,5 +182,5 @@ index 7f04524..2b403ab 100644 { #ifdef CONFIG_MODULE_SIG -- -2.4.3 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch similarity index 77% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch index bb58cda7cf..c7a30506d3 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch @@ -1,7 +1,7 @@ -From 6435d27b9b072307909802f9417882d3b0a1f554 Mon Sep 17 00:00:00 2001 +From 6277cf00738caf83ca65147c4b0af06c3ed8a00a Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:28:43 -0400 -Subject: [PATCH 12/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI +Subject: [PATCH 11/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI The functionality of the config option is dependent upon the platform being UEFI based. Reflect this in the config deps. @@ -12,10 +12,10 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index e6680fb..2c4b0e7 100644 +index f7494bd..3a5e694 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1705,7 +1705,8 @@ config EFI_MIXED +@@ -1737,7 +1737,8 @@ config EFI_MIXED If unsure, say N. config EFI_SECURE_BOOT_SIG_ENFORCE @@ -26,5 +26,5 @@ index e6680fb..2c4b0e7 100644 ---help--- UEFI Secure Boot provides a mechanism for ensuring that the -- -2.4.3 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/13-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0012-efi-Add-EFI_SECURE_BOOT-bit.patch similarity index 84% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/13-efi-Add-EFI_SECURE_BOOT-bit.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0012-efi-Add-EFI_SECURE_BOOT-bit.patch index 007d24d772..6cda3d2db1 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/13-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0012-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,7 +1,7 @@ -From 0925cb3f7afbf104e9b5df5dea02dd0d8cdb0c2e Mon Sep 17 00:00:00 2001 +From 589d649aad69a64dfc8802211dd5eeab11e29ba4 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:33:03 -0400 -Subject: [PATCH 13/14] efi: Add EFI_SECURE_BOOT bit +Subject: [PATCH 12/21] efi: Add EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit for use with efi_enabled. @@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index c2e4f52..5def6b4 100644 +index bddbfa7..2015f84 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p) +@@ -1137,7 +1137,9 @@ void __init setup_arch(char **cmdline_p) #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE if (boot_params.secure_boot) { @@ -39,5 +39,5 @@ index 85ef051..de3e450 100644 #ifdef CONFIG_EFI /* -- -2.4.3 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/14-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0013-hibernate-Disable-in-a-signed-modules-environment.patch similarity index 88% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/14-hibernate-Disable-in-a-signed-modules-environment.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0013-hibernate-Disable-in-a-signed-modules-environment.patch index 0f4f0c300b..c2ac018c4f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/14-hibernate-Disable-in-a-signed-modules-environment.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0013-hibernate-Disable-in-a-signed-modules-environment.patch @@ -1,7 +1,7 @@ -From f77ad7f8cdc798a27a4e1f3f1951df958547265f Mon Sep 17 00:00:00 2001 +From b6233fa67ca06ab2f0d63e3871162598ae6bf0dd Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 20 Jun 2014 08:53:24 -0400 -Subject: [PATCH 14/14] hibernate: Disable in a signed modules environment +Subject: [PATCH 13/21] hibernate: Disable in a signed modules environment There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, @@ -35,5 +35,5 @@ index 690f78f..037303a 100644 /** -- -2.4.3 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0001-Security-Provide-copy-up-security-hooks-for-unioned-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0001-Security-Provide-copy-up-security-hooks-for-unioned-.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch index c9739de4f5..4c30b2dfa5 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0001-Security-Provide-copy-up-security-hooks-for-unioned-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch @@ -1,7 +1,7 @@ -From bf7f29c3ce247f0074b9cec78e948f779d19dab6 Mon Sep 17 00:00:00 2001 +From 3298b3864380851ecb8551c560d7dbce3f45c78a Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:31 +0100 -Subject: [PATCH 1/5] Security: Provide copy-up security hooks for unioned +Subject: [PATCH 14/21] Security: Provide copy-up security hooks for unioned files Provide two new security hooks for use with security files that are used when @@ -21,7 +21,7 @@ Signed-off-by: David Howells 3 files changed, 54 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h -index 9429f05..1c38ceb 100644 +index ec3a6ba..8c0c524 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -401,6 +401,24 @@ @@ -69,7 +69,7 @@ index 9429f05..1c38ceb 100644 struct list_head file_alloc_security; struct list_head file_free_security; diff --git a/include/linux/security.h b/include/linux/security.h -index 79d85dd..10d3211 100644 +index 2f4c1f7..ec21144 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -274,6 +274,10 @@ int security_inode_getsecurity(const struct inode *inode, const char *name, void @@ -101,10 +101,10 @@ index 79d85dd..10d3211 100644 { return 0; diff --git a/security/security.c b/security/security.c -index 9942836..976e7114 100644 +index 46f405c..e33c5d5 100644 --- a/security/security.c +++ b/security/security.c -@@ -731,6 +731,19 @@ void security_inode_getsecid(const struct inode *inode, u32 *secid) +@@ -726,6 +726,19 @@ void security_inode_getsecid(const struct inode *inode, u32 *secid) call_void_hook(inode_getsecid, inode, secid); } @@ -124,7 +124,7 @@ index 9942836..976e7114 100644 int security_file_permission(struct file *file, int mask) { int ret; -@@ -1659,6 +1672,10 @@ struct security_hook_heads security_hook_heads = { +@@ -1654,6 +1667,10 @@ struct security_hook_heads security_hook_heads = { LIST_HEAD_INIT(security_hook_heads.inode_listsecurity), .inode_getsecid = LIST_HEAD_INIT(security_hook_heads.inode_getsecid), @@ -136,5 +136,5 @@ index 9942836..976e7114 100644 LIST_HEAD_INIT(security_hook_heads.file_permission), .file_alloc_security = -- -2.4.3 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0002-Overlayfs-Use-copy-up-security-hooks.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0015-Overlayfs-Use-copy-up-security-hooks.patch similarity index 88% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0002-Overlayfs-Use-copy-up-security-hooks.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0015-Overlayfs-Use-copy-up-security-hooks.patch index 92fb6eceba..6f5b826f99 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0002-Overlayfs-Use-copy-up-security-hooks.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0015-Overlayfs-Use-copy-up-security-hooks.patch @@ -1,7 +1,7 @@ -From f7232b5105b54e8605810a4a22407625ef626cfd Mon Sep 17 00:00:00 2001 +From 3d01bf723f845693c95d3e7fe556cd13b1f41796 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:31 +0100 -Subject: [PATCH 2/5] Overlayfs: Use copy-up security hooks +Subject: [PATCH 15/21] Overlayfs: Use copy-up security hooks Use the copy-up security hooks previously provided to allow an LSM to adjust the security on a newly created copy and to filter the xattrs copied to that @@ -13,7 +13,7 @@ Signed-off-by: David Howells 1 file changed, 12 insertions(+) diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c -index 84d693d..8f66b39 100644 +index 871fcb6..865f80a 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -58,6 +58,14 @@ int ovl_copy_xattr(struct dentry *old, struct dentry *new) @@ -43,5 +43,5 @@ index 84d693d..8f66b39 100644 struct path upperpath; ovl_path_upper(dentry, &upperpath); -- -2.4.3 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0003-SELinux-Stub-in-copy-up-handling.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0016-SELinux-Stub-in-copy-up-handling.patch similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0003-SELinux-Stub-in-copy-up-handling.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0016-SELinux-Stub-in-copy-up-handling.patch index 0d61ef5dea..9582cfdc60 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0003-SELinux-Stub-in-copy-up-handling.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0016-SELinux-Stub-in-copy-up-handling.patch @@ -1,7 +1,7 @@ -From c86855ff554866751bbaf3f710081222448ae2cc Mon Sep 17 00:00:00 2001 +From 7e806ccf4d8426a9247aaf5b1652f6e8c15658a4 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:32 +0100 -Subject: [PATCH 3/5] SELinux: Stub in copy-up handling +Subject: [PATCH 16/21] SELinux: Stub in copy-up handling Provide stubs for union/overlay copy-up handling. The xattr copy up stub discards lower SELinux xattrs rather than letting them be copied up so that @@ -13,10 +13,10 @@ Signed-off-by: David Howells 1 file changed, 20 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 564079c..5b5864f 100644 +index e4369d8..7c1a44d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c -@@ -3184,6 +3184,24 @@ static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) +@@ -3190,6 +3190,24 @@ static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) *secid = isec->sid; } @@ -41,7 +41,7 @@ index 564079c..5b5864f 100644 /* file security operations */ static int selinux_revalidate_file_permission(struct file *file, int mask) -@@ -5872,6 +5890,8 @@ static struct security_hook_list selinux_hooks[] = { +@@ -5919,6 +5937,8 @@ static struct security_hook_list selinux_hooks[] = { LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), @@ -51,5 +51,5 @@ index 564079c..5b5864f 100644 LSM_HOOK_INIT(file_permission, selinux_file_permission), LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), -- -2.4.3 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0004-SELinux-Handle-opening-of-a-unioned-file.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0017-SELinux-Handle-opening-of-a-unioned-file.patch similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0004-SELinux-Handle-opening-of-a-unioned-file.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0017-SELinux-Handle-opening-of-a-unioned-file.patch index ca828467d9..d49686672a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0004-SELinux-Handle-opening-of-a-unioned-file.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0017-SELinux-Handle-opening-of-a-unioned-file.patch @@ -1,7 +1,7 @@ -From 960b4a846a973eab6caf342af7b19e4e1cf7cdd3 Mon Sep 17 00:00:00 2001 +From 9cd5cbccade9b18c7ef250eca17396bafafd59c6 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:32 +0100 -Subject: [PATCH 4/5] SELinux: Handle opening of a unioned file +Subject: [PATCH 17/21] SELinux: Handle opening of a unioned file Handle the opening of a unioned file by trying to derive the label that would be attached to the union-layer inode if it doesn't exist. @@ -26,10 +26,10 @@ Signed-off-by: David Howells 2 files changed, 70 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 5b5864f..1b5a338 100644 +index 7c1a44d..522b070 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c -@@ -3474,10 +3474,72 @@ static int selinux_file_receive(struct file *file) +@@ -3520,10 +3520,72 @@ static int selinux_file_receive(struct file *file) return file_has_perm(cred, file, file_to_av(file)); } @@ -102,7 +102,7 @@ index 5b5864f..1b5a338 100644 fsec = file->f_security; isec = file_inode(file)->i_security; -@@ -3498,6 +3560,13 @@ static int selinux_file_open(struct file *file, const struct cred *cred) +@@ -3544,6 +3606,13 @@ static int selinux_file_open(struct file *file, const struct cred *cred) * new inode label or new policy. * This check is not redundant - do not remove. */ @@ -129,5 +129,5 @@ index 81fa718..f088c08 100644 }; -- -2.4.3 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0005-SELinux-Check-against-union-label-for-file-operation.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0018-SELinux-Check-against-union-label-for-file-operation.patch similarity index 80% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0005-SELinux-Check-against-union-label-for-file-operation.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0018-SELinux-Check-against-union-label-for-file-operation.patch index 9755d1db20..76e8b0ceac 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0005-SELinux-Check-against-union-label-for-file-operation.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0018-SELinux-Check-against-union-label-for-file-operation.patch @@ -1,7 +1,7 @@ -From 8801593b646aa444732e4c7431442d453d1b08cf Mon Sep 17 00:00:00 2001 +From c64b14da9495c0bcecd0d48e9fcde1898b6623b6 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:32 +0100 -Subject: [PATCH 5/5] SELinux: Check against union label for file operations +Subject: [PATCH 18/21] SELinux: Check against union label for file operations File operations (eg. read, write) issued against a file that is attached to the lower layer of a union file needs to be checked against the union-layer @@ -16,10 +16,10 @@ Signed-off-by: David Howells 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 1b5a338..b33cbbb 100644 +index 522b070..ecc883b 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c -@@ -1671,6 +1671,7 @@ static int file_has_perm(const struct cred *cred, +@@ -1682,6 +1682,7 @@ static int file_has_perm(const struct cred *cred, struct file *file, u32 av) { @@ -27,7 +27,7 @@ index 1b5a338..b33cbbb 100644 struct file_security_struct *fsec = file->f_security; struct inode *inode = file_inode(file); struct common_audit_data ad; -@@ -1691,8 +1692,15 @@ static int file_has_perm(const struct cred *cred, +@@ -1702,8 +1703,15 @@ static int file_has_perm(const struct cred *cred, /* av is zero if only checking access to the descriptor. */ rc = 0; @@ -46,5 +46,5 @@ index 1b5a338..b33cbbb 100644 out: return rc; -- -2.4.3 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0019-net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch similarity index 72% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0019-net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch index 1c0b40cd7f..af61a5f842 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0019-net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch @@ -1,7 +1,7 @@ -From 628cd64abeb364a53b86aa1dbbff151df536abfa Mon Sep 17 00:00:00 2001 +From c82a8afba2f38c29c95db14f4b73fed0bd9ebbf4 Mon Sep 17 00:00:00 2001 From: Geoff Levand Date: Wed, 2 Sep 2015 16:08:30 -0700 -Subject: [PATCH] net/wireless/wl18xx: Add missing MODULE_FIRMWARE +Subject: [PATCH 19/21] net/wireless/wl18xx: Add missing MODULE_FIRMWARE Fixes the output of 'modinfo --field firmware'. @@ -11,14 +11,14 @@ Signed-off-by: Geoff Levand 1 file changed, 1 insertion(+) diff --git a/drivers/net/wireless/ti/wl18xx/main.c b/drivers/net/wireless/ti/wl18xx/main.c -index 49aca2c..3bbf624 100644 +index abbf054..50cce42 100644 --- a/drivers/net/wireless/ti/wl18xx/main.c +++ b/drivers/net/wireless/ti/wl18xx/main.c -@@ -2062,3 +2062,4 @@ MODULE_PARM_DESC(num_rx_desc_param, +@@ -2115,3 +2115,4 @@ MODULE_PARM_DESC(num_rx_desc_param, MODULE_LICENSE("GPL v2"); MODULE_AUTHOR("Luciano Coelho "); MODULE_FIRMWARE(WL18XX_FW_NAME); +MODULE_FIRMWARE(WL18XX_CONF_FILE_NAME); -- -2.1.0 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0006-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0020-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0006-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0020-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch index 5a8471ec7c..de010ef4e9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/overlayfs/0006-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0020-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch @@ -1,7 +1,7 @@ -From 885f27cadbb562bb405c258ab6053f52efbf4de7 Mon Sep 17 00:00:00 2001 +From 8fdb5e7ddc542c21fd28922fe9aa59581b67c895 Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Mon, 19 Oct 2015 17:53:12 -0700 -Subject: [PATCH] overlayfs: use a minimal buffer in ovl_copy_xattr +Subject: [PATCH 20/21] overlayfs: use a minimal buffer in ovl_copy_xattr Rather than always allocating the high-order XATTR_SIZE_MAX buffer which is costly and prone to failure, only allocate what is needed and @@ -13,7 +13,7 @@ Fixes https://github.com/coreos/bugs/issues/489 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c -index 8f66b39..9426e60 100644 +index 865f80a..749bf00 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -22,8 +22,8 @@ @@ -72,5 +72,5 @@ index 8f66b39..9426e60 100644 name, value, &size); if (error < 0) -- -2.4.6 +2.4.10 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/0022-net-switchdev-fix-return-code-of-fdb_dump-stub.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0021-net-switchdev-fix-return-code-of-fdb_dump-stub.patch similarity index 77% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/0022-net-switchdev-fix-return-code-of-fdb_dump-stub.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0021-net-switchdev-fix-return-code-of-fdb_dump-stub.patch index 1e82fa77d9..4003399978 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/0022-net-switchdev-fix-return-code-of-fdb_dump-stub.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0021-net-switchdev-fix-return-code-of-fdb_dump-stub.patch @@ -1,7 +1,7 @@ -From d5eda9e85df6d1894d0d16155e0900daadb4ce1b Mon Sep 17 00:00:00 2001 +From adab4d12ddd30b27b1d620cb73f9ac31c189c386 Mon Sep 17 00:00:00 2001 From: Dragos Tatulea Date: Mon, 16 Nov 2015 10:52:48 +0100 -Subject: [PATCH 22/22] net: switchdev: fix return code of fdb_dump stub +Subject: [PATCH 21/21] net: switchdev: fix return code of fdb_dump stub rtnl_fdb_dump always expects an index to be returned by the ndo_fdb_dump op, but when CONFIG_NET_SWITCHDEV is off, it returns an error. @@ -21,10 +21,10 @@ Signed-off-by: David S. Miller 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/switchdev.h b/include/net/switchdev.h -index d5671f1..0b91979 100644 +index 319baab..731c40e 100644 --- a/include/net/switchdev.h +++ b/include/net/switchdev.h -@@ -268,7 +268,7 @@ static inline int switchdev_port_fdb_dump(struct sk_buff *skb, +@@ -272,7 +272,7 @@ static inline int switchdev_port_fdb_dump(struct sk_buff *skb, struct net_device *filter_dev, int idx) { @@ -32,7 +32,7 @@ index d5671f1..0b91979 100644 + return idx; } - #endif + static inline void switchdev_port_fwd_mark_set(struct net_device *dev, -- -2.4.6 +2.4.10