sys-kernel/coreos-sources: bump to 4.3.0

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest

@@ -1,2 +1 @@
-DIST linux-4.2.tar.xz 85507784 SHA256 cf20e044f17588d2a42c8f2a450b0fd84dfdbd579b489d93e9ab7d0e8b45dbeb SHA512 a87bbce3c0c6d810a41bbba1c0dcaae80dc38dded9f8571e97fa4ee5a468d655daf52d260911412f7c7da3171a5114e89d63da14b1753b9a3eb2cc38fd89b9ee WHIRLPOOL 2058e664ee287cc03119ff3dd0155b7018b9c789a13a1012f190e516172f845dcb2d977c8e6a6951e9bd720e5e8cdfa3b888cce392c9b02780520e77475870d0
+DIST linux-4.3.tar.xz 86920812 SHA256 4a622cc84b8a3c38d39bc17195b0c064d2b46945dfde0dae18f77b120bc9f3ae SHA512 d25812043850530fdcfdb48523523ee980747f3c2c1266149330844dae2cba0d056d4ddd9c0f129f570f5d1f6df5c20385aec5f6a2e0755edc1e2f5f93e2c6bc WHIRLPOOL e3f131443acc14d4f67bbd3f4e1c57af3d822c41c85a112564d54667a591c8619dce42327fd8166d30a2d7adfaf433c2e2134d4995c91c08f65ac0cc2190f935
-DIST patch-4.2.2.xz 82480 SHA256 8b4578f1e1dcfbef1e39c39b861d4715aa99917af0b7c2dc324622d65884dcb5 SHA512 b37c71cb46cdbf3b7d2dac84ebf3e09d4e5e2433b150078e0e40ea881296401954b359d7bba6e9358957260cb0ccabafc0579feaef19c949d02ac9cfb48a3002 WHIRLPOOL 011d18a6099c75e0eb6de3d863089704ca811dfefafa0d92864dc8702566cd0776d2491fa2c3f17c50e76eb9e394d1ff4926b07e1f534af513293092c4e65c4d

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.2.2-r2.ebuild

@@ -1,38 +0,0 @@
-# Copyright 2014 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-ETYPE="sources"
-inherit kernel-2
-detect_version
-
-DESCRIPTION="Full sources for the CoreOS Linux kernel"
-HOMEPAGE="http://www.kernel.org"
-SRC_URI="${KERNEL_URI}"
-
-KEYWORDS="amd64 arm64"
-IUSE=""
-
-PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
-UNIPATCH_LIST="${PATCH_DIR}/01-Add-secure_modules-call.patch \
-${PATCH_DIR}/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
-${PATCH_DIR}/03-x86-Lock-down-IO-port-access-when-module-security-is.patch \
-${PATCH_DIR}/04-ACPI-Limit-access-to-custom_method.patch \
-${PATCH_DIR}/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
-${PATCH_DIR}/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
-${PATCH_DIR}/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
-${PATCH_DIR}/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
-${PATCH_DIR}/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
-${PATCH_DIR}/10-Add-option-to-automatically-enforce-module-signature.patch \
-${PATCH_DIR}/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
-${PATCH_DIR}/13-efi-Add-EFI_SECURE_BOOT-bit.patch \
-${PATCH_DIR}/14-hibernate-Disable-in-a-signed-modules-environment.patch \
-${PATCH_DIR}/overlayfs/0001-Security-Provide-copy-up-security-hooks-for-unioned-.patch \
-${PATCH_DIR}/overlayfs/0002-Overlayfs-Use-copy-up-security-hooks.patch \
-${PATCH_DIR}/overlayfs/0003-SELinux-Stub-in-copy-up-handling.patch \
-${PATCH_DIR}/overlayfs/0004-SELinux-Handle-opening-of-a-unioned-file.patch \
-${PATCH_DIR}/overlayfs/0005-SELinux-Check-against-union-label-for-file-operation.patch \
-${PATCH_DIR}/overlayfs/0006-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch \
-${PATCH_DIR}/net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch \
-${PATCH_DIR}/0021-switchdev-fix-return-value-of-switchdev_port_fdb_dum.patch \
-${PATCH_DIR}/0022-net-switchdev-fix-return-code-of-fdb_dump-stub.patch"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.3.0.ebuild

@@ -0,0 +1,41 @@
+# Copyright 2014 CoreOS, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+ETYPE="sources"
+inherit kernel-2
+detect_version
+
+DESCRIPTION="Full sources for the CoreOS Linux kernel"
+HOMEPAGE="http://www.kernel.org"
+SRC_URI="${KERNEL_URI}"
+
+KEYWORDS="amd64 arm64"
+IUSE=""
+
+PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
+# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g'
+UNIPATCH_LIST="
+        ${PATCH_DIR}/0001-Add-secure_modules-call.patch \
+        ${PATCH_DIR}/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
+        ${PATCH_DIR}/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \
+        ${PATCH_DIR}/0004-ACPI-Limit-access-to-custom_method.patch \
+        ${PATCH_DIR}/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
+        ${PATCH_DIR}/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
+        ${PATCH_DIR}/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
+        ${PATCH_DIR}/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
+        ${PATCH_DIR}/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
+        ${PATCH_DIR}/0010-Add-option-to-automatically-enforce-module-signature.patch \
+        ${PATCH_DIR}/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
+        ${PATCH_DIR}/0012-efi-Add-EFI_SECURE_BOOT-bit.patch \
+        ${PATCH_DIR}/0013-hibernate-Disable-in-a-signed-modules-environment.patch \
+        ${PATCH_DIR}/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch \
+        ${PATCH_DIR}/0015-Overlayfs-Use-copy-up-security-hooks.patch \
+        ${PATCH_DIR}/0016-SELinux-Stub-in-copy-up-handling.patch \
+        ${PATCH_DIR}/0017-SELinux-Handle-opening-of-a-unioned-file.patch \
+        ${PATCH_DIR}/0018-SELinux-Check-against-union-label-for-file-operation.patch \
+        ${PATCH_DIR}/0019-net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch \
+        ${PATCH_DIR}/0020-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch \
+        ${PATCH_DIR}/0021-net-switchdev-fix-return-code-of-fdb_dump-stub.patch \
+"
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/0021-switchdev-fix-return-value-of-switchdev_port_fdb_dum.patch

@@ -1,39 +0,0 @@
-From a380cc22a956afb1370cf8f4c6708a25b2d6d1f5 Mon Sep 17 00:00:00 2001
-From: Jiri Pirko <jiri@mellanox.com>
-Date: Thu, 3 Sep 2015 14:04:17 +0200
-Subject: [PATCH 21/22] switchdev: fix return value of switchdev_port_fdb_dump
- in case of error
-
-switchdev_port_fdb_dump is used as .ndo_fdb_dump. Its return value is
-idx, so we cannot return errval.
-
-Fixes: 45d4122ca7cd ("switchdev: add support for fdb add/del/dump via switchdev_port_obj ops.")
-Signed-off-by: Jiri Pirko <jiri@mellanox.com>
-Acked-by: Sridhar Samudrala <sridhar.samudrala@intel.com>
-Acked-by: Scott Feldman<sfeldma@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/switchdev/switchdev.c | 6 +-----
- 1 file changed, 1 insertion(+), 5 deletions(-)
-
-diff --git a/net/switchdev/switchdev.c b/net/switchdev/switchdev.c
-index 9f2add3..6a566cd 100644
---- a/net/switchdev/switchdev.c
-+++ b/net/switchdev/switchdev.c
-@@ -853,12 +853,8 @@ int switchdev_port_fdb_dump(struct sk_buff *skb, struct netlink_callback *cb,
- 		.cb = cb,
- 		.idx = idx,
- 	};
--	int err;
--
--	err = switchdev_port_obj_dump(dev, &dump.obj);
--	if (err)
--		return err;
- 
-+	switchdev_port_obj_dump(dev, &dump.obj);
- 	return dump.idx;
- }
- EXPORT_SYMBOL_GPL(switchdev_port_fdb_dump);
--- 
-2.4.6
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch

@@ -1,44 +0,0 @@
-From 9b3e6387aadd3baa76e5c1abd7c9071b4871885a Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <matthew.garrett@nebula.com>
-Date: Fri, 9 Aug 2013 03:33:56 -0400
-Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module
- loading restrictions
-
-kexec permits the loading and execution of arbitrary code in ring 0, which
-is something that module signing enforcement is meant to prevent. It makes
-sense to disable kexec in this situation.
-
-Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
----
- kernel/kexec.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/kernel/kexec.c b/kernel/kexec.c
-index a785c10..81d6b40 100644
---- a/kernel/kexec.c
-+++ b/kernel/kexec.c
-@@ -36,6 +36,7 @@
- #include <linux/syscore_ops.h>
- #include <linux/compiler.h>
- #include <linux/hugetlb.h>
-+#include <linux/module.h>
- 
- #include <asm/page.h>
- #include <asm/uaccess.h>
-@@ -1258,6 +1259,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
- 		return -EPERM;
- 
- 	/*
-+	 * kexec can be used to circumvent module loading restrictions, so
-+	 * prevent loading in that case
-+	 */
-+	if (secure_modules())
-+		return -EPERM;
-+
-+	/*
- 	 * Verify we have a legal set of flags
- 	 * This leaves us room for future extensions.
- 	 */
--- 
-2.4.3
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch

@@ -1,58 +0,0 @@
-From 4095f969830267114c73cbef05fc3b984f34bc34 Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Tue, 5 Feb 2013 19:25:05 -0500
-Subject: [PATCH 11/14] efi: Disable secure boot if shim is in insecure mode
-
-A user can manually tell the shim boot loader to disable validation of
-images it loads.  When a user does this, it creates a UEFI variable called
-MokSBState that does not have the runtime attribute set.  Given that the
-user explicitly disabled validation, we can honor that and not enable
-secure boot mode if that variable is set.
-
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
----
- arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++-
- 1 file changed, 19 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 03bfc83..1e80f3a 100644
---- a/arch/x86/boot/compressed/eboot.c
-+++ b/arch/x86/boot/compressed/eboot.c
-@@ -830,8 +830,9 @@ out:
- 
- static int get_secure_boot(void)
- {
--	u8 sb, setup;
-+	u8 sb, setup, moksbstate;
- 	unsigned long datasize = sizeof(sb);
-+	u32 attr;
- 	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
- 	efi_status_t status;
- 
-@@ -855,6 +856,23 @@ static int get_secure_boot(void)
- 	if (setup == 1)
- 		return 0;
- 
-+	/* See if a user has put shim into insecure_mode.  If so, and the variable
-+	 * doesn't have the runtime attribute set, we might as well honor that.
-+	 */
-+	var_guid = EFI_SHIM_LOCK_GUID;
-+	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
-+				L"MokSBState", &var_guid, &attr, &datasize,
-+				&moksbstate);
-+
-+	/* If it fails, we don't care why.  Default to secure */
-+	if (status != EFI_SUCCESS)
-+		return 1;
-+
-+	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
-+		if (moksbstate == 1)
-+			return 0;
-+	}
-+
- 	return 1;
- }
- 
--- 
-2.4.3
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0001-Add-secure_modules-call.patch

@@ -1,7 +1,7 @@
-From 6067a76dca90f315916621a657a8a6379b1d0c3b Mon Sep 17 00:00:00 2001
+From f4b4e6d9d747199355a1af3d19b9c6e3883c6f69 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 17:58:15 -0400
-Subject: [PATCH 01/14] Add secure_modules() call
+Subject: [PATCH 01/21] Add secure_modules() call
 
 Provide a single call to allow kernel code to determine whether the system
 has been configured to either disable module loading entirely or to load
@@ -41,10 +41,10 @@ index 3a19c79..db38634 100644
  
  #ifdef CONFIG_SYSFS
 diff --git a/kernel/module.c b/kernel/module.c
-index b86b7bf..7f04524 100644
+index 8f051a1..58e636c 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4087,3 +4087,13 @@ void module_layout(struct module *mod,
+@@ -4091,3 +4091,13 @@ void module_layout(struct module *mod,
  }
  EXPORT_SYMBOL(module_layout);
  #endif
@@ -59,5 +59,5 @@ index b86b7bf..7f04524 100644
 +}
 +EXPORT_SYMBOL(secure_modules);
 -- 
-2.4.3
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch

@@ -1,7 +1,7 @@
-From 1d82a694eb7508eef1e25c4c4dfe5e4ae9206454 Mon Sep 17 00:00:00 2001
+From e1479978a5b79f053368c011304e528355b43757 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:10:38 -0500
-Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is
+Subject: [PATCH 02/21] PCI: Lock down BAR access when module security is
  enabled
 
 Any hardware that can potentially generate DMA has to be locked down from
@@ -18,7 +18,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  3 files changed, 19 insertions(+), 2 deletions(-)
 
 diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index 312f23a..93e6ac1 100644
+index 9261868..9e99a3c 100644
 --- a/drivers/pci/pci-sysfs.c
 +++ b/drivers/pci/pci-sysfs.c
 @@ -30,6 +30,7 @@
@@ -114,5 +114,5 @@ index b91c4da..98f5637 100644
  
  	dev = pci_get_bus_and_slot(bus, dfn);
 -- 
-2.4.3
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch

@@ -1,7 +1,7 @@
-From dcddff58bc08a34053c033131bc800e16210a071 Mon Sep 17 00:00:00 2001
+From b5bb0f89eb70f479b63a188025b607eb221ff68e Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:35:59 -0500
-Subject: [PATCH 03/14] x86: Lock down IO port access when module security is
+Subject: [PATCH 03/21] x86: Lock down IO port access when module security is
  enabled
 
 IO port access would permit users to gain access to PCI configuration
@@ -68,5 +68,5 @@ index 6b1721f..53fe675 100644
  		return -EFAULT;
  	while (count-- > 0 && i < 65536) {
 -- 
-2.4.3
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0004-ACPI-Limit-access-to-custom_method.patch

@@ -1,7 +1,7 @@
-From c2c125a4fdabc50a25952e5a81c0fd2b46fde688 Mon Sep 17 00:00:00 2001
+From b56b0339f5f4fa7cc1ed00b9c6f21e811595ae9f Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:39:37 -0500
-Subject: [PATCH 04/14] ACPI: Limit access to custom_method
+Subject: [PATCH 04/21] ACPI: Limit access to custom_method
 
 custom_method effectively allows arbitrary access to system memory, making
 it possible for an attacker to circumvent restrictions on module loading.
@@ -27,5 +27,5 @@ index c68e724..4277938 100644
  		/* parse the table header to get the table length */
  		if (count <= sizeof(struct acpi_table_header))
 -- 
-2.4.3
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch

@@ -1,7 +1,7 @@
-From 9adc395ee42eb155a05fc82ca07cb3d77f19abe6 Mon Sep 17 00:00:00 2001
+From 09ffe104e8f518b7085638480a098f63ca36a346 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:46:50 -0500
-Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module
+Subject: [PATCH 05/21] asus-wmi: Restrict debugfs interface when module
  loading is restricted
 
 We have no way of validating what all of the Asus WMI methods do on a
@@ -50,5 +50,5 @@ index efbc3f0..071171b 100644
  				     1, asus->debug.method_id,
  				     &input, &output);
 -- 
-2.4.3
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch

@@ -1,7 +1,7 @@
-From 2ca28096b959a2f53a3a761426418aea7a4d48f6 Mon Sep 17 00:00:00 2001
+From 3215ee6063f06b407d5f96a7ea3f47b7eb301353 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 09:28:15 -0500
-Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is
+Subject: [PATCH 06/21] Restrict /dev/mem and /dev/kmem when module loading is
  restricted
 
 Allowing users to write to address space makes it possible for the kernel
@@ -38,5 +38,5 @@ index 53fe675..b52c888 100644
  		unsigned long to_write = min_t(unsigned long, count,
  					       (unsigned long)high_memory - p);
 -- 
-2.4.3
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch

@@ -1,7 +1,7 @@
-From 9f838b6efbbabccbef59f278c13381c332e5b992 Mon Sep 17 00:00:00 2001
+From 9822ba15eaa928b83bfc8faef740b55b82b309b9 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Mon, 25 Jun 2012 19:57:30 -0400
-Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module
+Subject: [PATCH 07/21] acpi: Ignore acpi_rsdp kernel parameter when module
  loading is restricted
 
 This option allows userspace to pass the RSDP address to the kernel, which
@@ -14,10 +14,10 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 3b8963f..a5ae6a7 100644
+index 739a4a6..9ef2a02 100644
 --- a/drivers/acpi/osl.c
 +++ b/drivers/acpi/osl.c
-@@ -44,6 +44,7 @@
+@@ -40,6 +40,7 @@
  #include <linux/list.h>
  #include <linux/jiffies.h>
  #include <linux/semaphore.h>
@@ -25,7 +25,7 @@ index 3b8963f..a5ae6a7 100644
  
  #include <asm/io.h>
  #include <asm/uaccess.h>
-@@ -255,7 +256,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
+@@ -253,7 +254,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
  acpi_physical_address __init acpi_os_get_root_pointer(void)
  {
  #ifdef CONFIG_KEXEC
@@ -35,5 +35,5 @@ index 3b8963f..a5ae6a7 100644
  #endif
  
 -- 
-2.4.3
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch

@@ -0,0 +1,39 @@
+From 8b75d9cbe2df89e63af7914534b63717024328fb Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg59@coreos.com>
+Date: Thu, 19 Nov 2015 18:55:53 -0800
+Subject: [PATCH 08/21] kexec: Disable at runtime if the kernel enforces module
+ loading restrictions
+
+kexec permits the loading and execution of arbitrary code in ring 0, which
+is something that module signing enforcement is meant to prevent. It makes
+sense to disable kexec in this situation.
+
+Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
+---
+ kernel/kexec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/kexec.c b/kernel/kexec.c
+index 4c5edc3..5920ebc 100644
+--- a/kernel/kexec.c
++++ b/kernel/kexec.c
+@@ -15,6 +15,7 @@
+ #include <linux/syscalls.h>
+ #include <linux/vmalloc.h>
+ #include <linux/slab.h>
++#include <linux/module.h>
+ 
+ #include "kexec_internal.h"
+ 
+@@ -129,7 +130,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
+ 	int result;
+ 
+ 	/* We only trust the superuser with rebooting the system. */
+-	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
++	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled || secure_modules())
+ 		return -EPERM;
+ 
+ 	/*
+-- 
+2.4.10
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch

@@ -1,7 +1,7 @@
-From 54cae7b82dc43c871e0cba995d1cf14c5afd7a49 Mon Sep 17 00:00:00 2001
+From c21e00285f2b1c8d860bdc0095e05c73309634a1 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 8 Feb 2013 11:12:13 -0800
-Subject: [PATCH 09/14] x86: Restrict MSR access when module loading is
+Subject: [PATCH 09/21] x86: Restrict MSR access when module loading is
  restricted
 
 Writing to MSRs should not be allowed if module loading is restricted,
@@ -40,5 +40,5 @@ index 113e707..26c2f83 100644
  			err = -EFAULT;
  			break;
 -- 
-2.4.3
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0010-Add-option-to-automatically-enforce-module-signature.patch

@@ -1,7 +1,7 @@
-From 20d26ef5fc1f9686c8ef9965785227b8ce78e159 Mon Sep 17 00:00:00 2001
+From 354ecea4775bda0643a9b2ef5d45e67e046ddb9a Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH 10/14] Add option to automatically enforce module signatures
+Subject: [PATCH 10/21] Add option to automatically enforce module signatures
  when in Secure Boot mode
 
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will
@@ -21,10 +21,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  7 files changed, 69 insertions(+), 1 deletion(-)
 
 diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
-index 82fbdbc..a811210 100644
+index 95a4d34..b8527c6 100644
 --- a/Documentation/x86/zero-page.txt
 +++ b/Documentation/x86/zero-page.txt
-@@ -30,6 +30,8 @@ Offset	Proto	Name		Meaning
+@@ -31,6 +31,8 @@ Offset	Proto	Name		Meaning
  1E9/001	ALL	eddbuf_entries	Number of entries in eddbuf (below)
  1EA/001	ALL	edd_mbr_sig_buf_entries	Number of entries in edd_mbr_sig_buffer
  				(below)
@@ -34,10 +34,10 @@ index 82fbdbc..a811210 100644
  290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
  2D0/A00	ALL	e820_map	E820 memory map table
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index b3a1a5d..e6680fb 100644
+index 96d058a..f7494bd 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1704,6 +1704,16 @@ config EFI_MIXED
+@@ -1736,6 +1736,16 @@ config EFI_MIXED
  
  	   If unsure, say N.
  
@@ -55,7 +55,7 @@ index b3a1a5d..e6680fb 100644
  	def_bool y
  	prompt "Enable seccomp to safely compute untrusted bytecode"
 diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index 7d69afd..03bfc83 100644
+index db51c1f..9dd115a 100644
 --- a/arch/x86/boot/compressed/eboot.c
 +++ b/arch/x86/boot/compressed/eboot.c
 @@ -12,6 +12,7 @@
@@ -66,7 +66,7 @@ index 7d69afd..03bfc83 100644
  
  #include "../string.h"
  #include "eboot.h"
-@@ -827,6 +828,37 @@ out:
+@@ -831,6 +832,37 @@ out:
  	return status;
  }
  
@@ -116,7 +116,7 @@ index 7d69afd..03bfc83 100644
  
  	setup_efi_pci(boot_params);
 diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
-index ab456dc..74ba408 100644
+index 3292543..b61f853 100644
 --- a/arch/x86/include/uapi/asm/bootparam.h
 +++ b/arch/x86/include/uapi/asm/bootparam.h
 @@ -134,7 +134,8 @@ struct boot_params {
@@ -130,10 +130,10 @@ index ab456dc..74ba408 100644
  	 * The sentinel is set to a nonzero value (0xff) in header.S.
  	 *
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 80f874b..c2e4f52 100644
+index a3cccbf..bddbfa7 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p)
+@@ -1135,6 +1135,12 @@ void __init setup_arch(char **cmdline_p)
  
  	io_delay_init();
  
@@ -164,10 +164,10 @@ index db38634..4b8df91 100644
  
  extern int modules_disabled; /* for sysctl */
 diff --git a/kernel/module.c b/kernel/module.c
-index 7f04524..2b403ab 100644
+index 58e636c..6dd2bb3 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4088,6 +4088,13 @@ void module_layout(struct module *mod,
+@@ -4092,6 +4092,13 @@ void module_layout(struct module *mod,
  EXPORT_SYMBOL(module_layout);
  #endif
  
@@ -182,5 +182,5 @@ index 7f04524..2b403ab 100644
  {
  #ifdef CONFIG_MODULE_SIG
 -- 
-2.4.3
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch

@@ -1,7 +1,7 @@
-From 6435d27b9b072307909802f9417882d3b0a1f554 Mon Sep 17 00:00:00 2001
+From 6277cf00738caf83ca65147c4b0af06c3ed8a00a Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:28:43 -0400
-Subject: [PATCH 12/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
+Subject: [PATCH 11/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
 
 The functionality of the config option is dependent upon the platform being
 UEFI based.  Reflect this in the config deps.
@@ -12,10 +12,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index e6680fb..2c4b0e7 100644
+index f7494bd..3a5e694 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1705,7 +1705,8 @@ config EFI_MIXED
+@@ -1737,7 +1737,8 @@ config EFI_MIXED
  	   If unsure, say N.
  
  config EFI_SECURE_BOOT_SIG_ENFORCE
@@ -26,5 +26,5 @@ index e6680fb..2c4b0e7 100644
  	---help---
  	  UEFI Secure Boot provides a mechanism for ensuring that the
 -- 
-2.4.3
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0012-efi-Add-EFI_SECURE_BOOT-bit.patch

@@ -1,7 +1,7 @@
-From 0925cb3f7afbf104e9b5df5dea02dd0d8cdb0c2e Mon Sep 17 00:00:00 2001
+From 589d649aad69a64dfc8802211dd5eeab11e29ba4 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH 13/14] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 12/21] efi: Add EFI_SECURE_BOOT bit
 
 UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
 for use with efi_enabled.
@@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  2 files changed, 3 insertions(+)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index c2e4f52..5def6b4 100644
+index bddbfa7..2015f84 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p)
+@@ -1137,7 +1137,9 @@ void __init setup_arch(char **cmdline_p)
  
  #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
  	if (boot_params.secure_boot) {
@@ -39,5 +39,5 @@ index 85ef051..de3e450 100644
  #ifdef CONFIG_EFI
  /*
 -- 
-2.4.3
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0013-hibernate-Disable-in-a-signed-modules-environment.patch

@@ -1,7 +1,7 @@
-From f77ad7f8cdc798a27a4e1f3f1951df958547265f Mon Sep 17 00:00:00 2001
+From b6233fa67ca06ab2f0d63e3871162598ae6bf0dd Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [PATCH 14/14] hibernate: Disable in a signed modules environment
+Subject: [PATCH 13/21] hibernate: Disable in a signed modules environment
 
 There is currently no way to verify the resume image when returning
 from hibernate.  This might compromise the signed modules trust model,
@@ -35,5 +35,5 @@ index 690f78f..037303a 100644
  
  /**
 -- 
-2.4.3
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch

@@ -1,7 +1,7 @@
-From bf7f29c3ce247f0074b9cec78e948f779d19dab6 Mon Sep 17 00:00:00 2001
+From 3298b3864380851ecb8551c560d7dbce3f45c78a Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:31 +0100
-Subject: [PATCH 1/5] Security: Provide copy-up security hooks for unioned
+Subject: [PATCH 14/21] Security: Provide copy-up security hooks for unioned
  files
 
 Provide two new security hooks for use with security files that are used when
@@ -21,7 +21,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  3 files changed, 54 insertions(+)
 
 diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
-index 9429f05..1c38ceb 100644
+index ec3a6ba..8c0c524 100644
 --- a/include/linux/lsm_hooks.h
 +++ b/include/linux/lsm_hooks.h
 @@ -401,6 +401,24 @@
@@ -69,7 +69,7 @@ index 9429f05..1c38ceb 100644
  	struct list_head file_alloc_security;
  	struct list_head file_free_security;
 diff --git a/include/linux/security.h b/include/linux/security.h
-index 79d85dd..10d3211 100644
+index 2f4c1f7..ec21144 100644
 --- a/include/linux/security.h
 +++ b/include/linux/security.h
 @@ -274,6 +274,10 @@ int security_inode_getsecurity(const struct inode *inode, const char *name, void
@@ -101,10 +101,10 @@ index 79d85dd..10d3211 100644
  {
  	return 0;
 diff --git a/security/security.c b/security/security.c
-index 9942836..976e7114 100644
+index 46f405c..e33c5d5 100644
 --- a/security/security.c
 +++ b/security/security.c
-@@ -731,6 +731,19 @@ void security_inode_getsecid(const struct inode *inode, u32 *secid)
+@@ -726,6 +726,19 @@ void security_inode_getsecid(const struct inode *inode, u32 *secid)
  	call_void_hook(inode_getsecid, inode, secid);
  }
  
@@ -124,7 +124,7 @@ index 9942836..976e7114 100644
  int security_file_permission(struct file *file, int mask)
  {
  	int ret;
-@@ -1659,6 +1672,10 @@ struct security_hook_heads security_hook_heads = {
+@@ -1654,6 +1667,10 @@ struct security_hook_heads security_hook_heads = {
  		LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
  	.inode_getsecid =
  		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
@@ -136,5 +136,5 @@ index 9942836..976e7114 100644
  		LIST_HEAD_INIT(security_hook_heads.file_permission),
  	.file_alloc_security =
 -- 
-2.4.3
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0015-Overlayfs-Use-copy-up-security-hooks.patch

@@ -1,7 +1,7 @@
-From f7232b5105b54e8605810a4a22407625ef626cfd Mon Sep 17 00:00:00 2001
+From 3d01bf723f845693c95d3e7fe556cd13b1f41796 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:31 +0100
-Subject: [PATCH 2/5] Overlayfs: Use copy-up security hooks
+Subject: [PATCH 15/21] Overlayfs: Use copy-up security hooks
 
 Use the copy-up security hooks previously provided to allow an LSM to adjust
 the security on a newly created copy and to filter the xattrs copied to that
@@ -13,7 +13,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 12 insertions(+)
 
 diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
-index 84d693d..8f66b39 100644
+index 871fcb6..865f80a 100644
 --- a/fs/overlayfs/copy_up.c
 +++ b/fs/overlayfs/copy_up.c
 @@ -58,6 +58,14 @@ int ovl_copy_xattr(struct dentry *old, struct dentry *new)
@@ -43,5 +43,5 @@ index 84d693d..8f66b39 100644
  		struct path upperpath;
  		ovl_path_upper(dentry, &upperpath);
 -- 
-2.4.3
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0016-SELinux-Stub-in-copy-up-handling.patch

@@ -1,7 +1,7 @@
-From c86855ff554866751bbaf3f710081222448ae2cc Mon Sep 17 00:00:00 2001
+From 7e806ccf4d8426a9247aaf5b1652f6e8c15658a4 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
-Subject: [PATCH 3/5] SELinux: Stub in copy-up handling
+Subject: [PATCH 16/21] SELinux: Stub in copy-up handling
 
 Provide stubs for union/overlay copy-up handling.  The xattr copy up stub
 discards lower SELinux xattrs rather than letting them be copied up so that
@@ -13,10 +13,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 20 insertions(+)
 
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 564079c..5b5864f 100644
+index e4369d8..7c1a44d 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
-@@ -3184,6 +3184,24 @@ static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
+@@ -3190,6 +3190,24 @@ static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
  	*secid = isec->sid;
  }
  
@@ -41,7 +41,7 @@ index 564079c..5b5864f 100644
  /* file security operations */
  
  static int selinux_revalidate_file_permission(struct file *file, int mask)
-@@ -5872,6 +5890,8 @@ static struct security_hook_list selinux_hooks[] = {
+@@ -5919,6 +5937,8 @@ static struct security_hook_list selinux_hooks[] = {
  	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
  	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
  	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
@@ -51,5 +51,5 @@ index 564079c..5b5864f 100644
  	LSM_HOOK_INIT(file_permission, selinux_file_permission),
  	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
 -- 
-2.4.3
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0017-SELinux-Handle-opening-of-a-unioned-file.patch

@@ -1,7 +1,7 @@
-From 960b4a846a973eab6caf342af7b19e4e1cf7cdd3 Mon Sep 17 00:00:00 2001
+From 9cd5cbccade9b18c7ef250eca17396bafafd59c6 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
-Subject: [PATCH 4/5] SELinux: Handle opening of a unioned file
+Subject: [PATCH 17/21] SELinux: Handle opening of a unioned file
 
 Handle the opening of a unioned file by trying to derive the label that would
 be attached to the union-layer inode if it doesn't exist.
@@ -26,10 +26,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  2 files changed, 70 insertions(+)
 
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 5b5864f..1b5a338 100644
+index 7c1a44d..522b070 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
-@@ -3474,10 +3474,72 @@ static int selinux_file_receive(struct file *file)
+@@ -3520,10 +3520,72 @@ static int selinux_file_receive(struct file *file)
  	return file_has_perm(cred, file, file_to_av(file));
  }
  
@@ -102,7 +102,7 @@ index 5b5864f..1b5a338 100644
  
  	fsec = file->f_security;
  	isec = file_inode(file)->i_security;
-@@ -3498,6 +3560,13 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
+@@ -3544,6 +3606,13 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
  	 * new inode label or new policy.
  	 * This check is not redundant - do not remove.
  	 */
@@ -129,5 +129,5 @@ index 81fa718..f088c08 100644
  };
  
 -- 
-2.4.3
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0018-SELinux-Check-against-union-label-for-file-operation.patch

@@ -1,7 +1,7 @@
-From 8801593b646aa444732e4c7431442d453d1b08cf Mon Sep 17 00:00:00 2001
+From c64b14da9495c0bcecd0d48e9fcde1898b6623b6 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
-Subject: [PATCH 5/5] SELinux: Check against union label for file operations
+Subject: [PATCH 18/21] SELinux: Check against union label for file operations
 
 File operations (eg. read, write) issued against a file that is attached to
 the lower layer of a union file needs to be checked against the union-layer
@@ -16,10 +16,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 10 insertions(+), 2 deletions(-)
 
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 1b5a338..b33cbbb 100644
+index 522b070..ecc883b 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
-@@ -1671,6 +1671,7 @@ static int file_has_perm(const struct cred *cred,
+@@ -1682,6 +1682,7 @@ static int file_has_perm(const struct cred *cred,
  			 struct file *file,
  			 u32 av)
  {
@@ -27,7 +27,7 @@ index 1b5a338..b33cbbb 100644
  	struct file_security_struct *fsec = file->f_security;
  	struct inode *inode = file_inode(file);
  	struct common_audit_data ad;
-@@ -1691,8 +1692,15 @@ static int file_has_perm(const struct cred *cred,
+@@ -1702,8 +1703,15 @@ static int file_has_perm(const struct cred *cred,
  
  	/* av is zero if only checking access to the descriptor. */
  	rc = 0;
@@ -46,5 +46,5 @@ index 1b5a338..b33cbbb 100644
  out:
  	return rc;
 -- 
-2.4.3
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0019-net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch

@@ -1,7 +1,7 @@
-From 628cd64abeb364a53b86aa1dbbff151df536abfa Mon Sep 17 00:00:00 2001
+From c82a8afba2f38c29c95db14f4b73fed0bd9ebbf4 Mon Sep 17 00:00:00 2001
 From: Geoff Levand <geoff@infradead.org>
 Date: Wed, 2 Sep 2015 16:08:30 -0700
-Subject: [PATCH] net/wireless/wl18xx: Add missing MODULE_FIRMWARE
+Subject: [PATCH 19/21] net/wireless/wl18xx: Add missing MODULE_FIRMWARE
 
 Fixes the output of 'modinfo --field firmware'.
 
@@ -11,14 +11,14 @@ Signed-off-by: Geoff Levand <geoff@infradead.org>
  1 file changed, 1 insertion(+)
 
 diff --git a/drivers/net/wireless/ti/wl18xx/main.c b/drivers/net/wireless/ti/wl18xx/main.c
-index 49aca2c..3bbf624 100644
+index abbf054..50cce42 100644
 --- a/drivers/net/wireless/ti/wl18xx/main.c
 +++ b/drivers/net/wireless/ti/wl18xx/main.c
-@@ -2062,3 +2062,4 @@ MODULE_PARM_DESC(num_rx_desc_param,
+@@ -2115,3 +2115,4 @@ MODULE_PARM_DESC(num_rx_desc_param,
  MODULE_LICENSE("GPL v2");
  MODULE_AUTHOR("Luciano Coelho <coelho@ti.com>");
  MODULE_FIRMWARE(WL18XX_FW_NAME);
 +MODULE_FIRMWARE(WL18XX_CONF_FILE_NAME);
 -- 
-2.1.0
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0020-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch

@@ -1,7 +1,7 @@
-From 885f27cadbb562bb405c258ab6053f52efbf4de7 Mon Sep 17 00:00:00 2001
+From 8fdb5e7ddc542c21fd28922fe9aa59581b67c895 Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Mon, 19 Oct 2015 17:53:12 -0700
-Subject: [PATCH] overlayfs: use a minimal buffer in ovl_copy_xattr
+Subject: [PATCH 20/21] overlayfs: use a minimal buffer in ovl_copy_xattr
 
 Rather than always allocating the high-order XATTR_SIZE_MAX buffer
 which is costly and prone to failure, only allocate what is needed and
@@ -13,7 +13,7 @@ Fixes https://github.com/coreos/bugs/issues/489
  1 file changed, 22 insertions(+), 9 deletions(-)
 
 diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
-index 8f66b39..9426e60 100644
+index 865f80a..749bf00 100644
 --- a/fs/overlayfs/copy_up.c
 +++ b/fs/overlayfs/copy_up.c
 @@ -22,8 +22,8 @@
@@ -72,5 +72,5 @@ index 8f66b39..9426e60 100644
  						     name, value, &size);
  		if (error < 0)
 -- 
-2.4.6
+2.4.10
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.3/0021-net-switchdev-fix-return-code-of-fdb_dump-stub.patch

@@ -1,7 +1,7 @@
-From d5eda9e85df6d1894d0d16155e0900daadb4ce1b Mon Sep 17 00:00:00 2001
+From adab4d12ddd30b27b1d620cb73f9ac31c189c386 Mon Sep 17 00:00:00 2001
 From: Dragos Tatulea <dragos@endocode.com>
 Date: Mon, 16 Nov 2015 10:52:48 +0100
-Subject: [PATCH 22/22] net: switchdev: fix return code of fdb_dump stub
+Subject: [PATCH 21/21] net: switchdev: fix return code of fdb_dump stub
 
 rtnl_fdb_dump always expects an index to be returned by the ndo_fdb_dump op,
 but when CONFIG_NET_SWITCHDEV is off, it returns an error.
@@ -21,10 +21,10 @@ Signed-off-by: David S. Miller <davem@davemloft.net>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/include/net/switchdev.h b/include/net/switchdev.h
-index d5671f1..0b91979 100644
+index 319baab..731c40e 100644
 --- a/include/net/switchdev.h
 +++ b/include/net/switchdev.h
-@@ -268,7 +268,7 @@ static inline int switchdev_port_fdb_dump(struct sk_buff *skb,
+@@ -272,7 +272,7 @@ static inline int switchdev_port_fdb_dump(struct sk_buff *skb,
  					  struct net_device *filter_dev,
  					  int idx)
  {
@@ -32,7 +32,7 @@ index d5671f1..0b91979 100644
 +       return idx;
  }
  
- #endif
+ static inline void switchdev_port_fwd_mark_set(struct net_device *dev,
 -- 
-2.4.6
+2.4.10