mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-23 15:31:05 +02:00
Merge pull request #2294 from dm0-/fix-jenkins
sys-kernel/coreos-{sources,modules,kernel}: fix random Jenkins failures
This commit is contained in:
David Michael
GitHub
commit
51d80c7be8
@ -2,7 +2,7 @@
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=5
|
||||
COREOS_SOURCE_REVISION=""
|
||||
COREOS_SOURCE_REVISION="-r1"
|
||||
inherit coreos-kernel
|
||||
|
||||
DESCRIPTION="CoreOS Linux kernel"
|
||||
@ -2,7 +2,7 @@
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=5
|
||||
COREOS_SOURCE_REVISION=""
|
||||
COREOS_SOURCE_REVISION="-r1"
|
||||
inherit coreos-kernel savedconfig
|
||||
|
||||
DESCRIPTION="CoreOS Linux kernel modules"
|
||||
@ -43,4 +43,5 @@ UNIPATCH_LIST="
|
||||
${PATCH_DIR}/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch \
|
||||
${PATCH_DIR}/z0020-hibernate-Disable-in-a-signed-modules-environment.patch \
|
||||
${PATCH_DIR}/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
|
||||
${PATCH_DIR}/z0022-crypto-rsa-Add-Makefile-dependencies-to-fix-parallel.patch \
|
||||
"
|
||||
@ -1,7 +1,7 @@
|
||||
From 61aa910fc208741c4bff9801566a1ca0a24531d9 Mon Sep 17 00:00:00 2001
|
||||
From: Vivek Goyal <vgoyal@redhat.com>
|
||||
Date: Tue, 19 Jul 2016 14:34:57 -0400
|
||||
Subject: [PATCH 01/21] security, overlayfs: provide copy up security hook for
|
||||
Subject: [PATCH 01/22] security, overlayfs: provide copy up security hook for
|
||||
unioned files
|
||||
|
||||
Provide a security hook to label new file correctly when a file is copied
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 591db70df1daa6d3fec150d1ec822ae413385323 Mon Sep 17 00:00:00 2001
|
||||
From: Vivek Goyal <vgoyal@redhat.com>
|
||||
Date: Tue, 19 Jul 2016 14:34:58 -0400
|
||||
Subject: [PATCH 02/21] selinux: Implementation for inode_copy_up() hook
|
||||
Subject: [PATCH 02/22] selinux: Implementation for inode_copy_up() hook
|
||||
|
||||
A file is being copied up for overlay file system. Prepare a new set of
|
||||
creds and set create_sid appropriately so that new file is created with
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From c4b0abc5ee89f6b6adc9b9aa6712f0403f43df69 Mon Sep 17 00:00:00 2001
|
||||
From: Vivek Goyal <vgoyal@redhat.com>
|
||||
Date: Tue, 19 Jul 2016 14:34:58 -0400
|
||||
Subject: [PATCH 03/21] security,overlayfs: Provide security hook for copy up
|
||||
Subject: [PATCH 03/22] security,overlayfs: Provide security hook for copy up
|
||||
of xattrs for overlay file
|
||||
|
||||
Provide a security hook which is called when xattrs of a file are being
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 0b0daf47ee34e3c2bbb22a7620396461e20daca1 Mon Sep 17 00:00:00 2001
|
||||
From: Vivek Goyal <vgoyal@redhat.com>
|
||||
Date: Tue, 19 Jul 2016 14:34:58 -0400
|
||||
Subject: [PATCH 04/21] selinux: Implementation for inode_copy_up_xattr() hook
|
||||
Subject: [PATCH 04/22] selinux: Implementation for inode_copy_up_xattr() hook
|
||||
|
||||
When a file is copied up in overlay, we have already created file on upper/
|
||||
with right label and there is no need to copy up selinux label/xattr from
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 27a7af7125c4984bdb75c2a027d6046744df411c Mon Sep 17 00:00:00 2001
|
||||
From: Vivek Goyal <vgoyal@redhat.com>
|
||||
Date: Tue, 19 Jul 2016 14:34:59 -0400
|
||||
Subject: [PATCH 05/21] selinux: Pass security pointer to
|
||||
Subject: [PATCH 05/22] selinux: Pass security pointer to
|
||||
determine_inode_label()
|
||||
|
||||
Right now selinux_determine_inode_label() works on security pointer of
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 1271cf983fa9292fd7c6dd1b0d2eb1fedecd8cdb Mon Sep 17 00:00:00 2001
|
||||
From: Vivek Goyal <vgoyal@redhat.com>
|
||||
Date: Tue, 19 Jul 2016 14:34:59 -0400
|
||||
Subject: [PATCH 06/21] security, overlayfs: Provide hook to correctly label
|
||||
Subject: [PATCH 06/22] security, overlayfs: Provide hook to correctly label
|
||||
newly created files
|
||||
|
||||
During a new file creation we need to make sure new file is created with the
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 2c1808b93b771367bbb8f9617087ac550fee6b25 Mon Sep 17 00:00:00 2001
|
||||
From: Vivek Goyal <vgoyal@redhat.com>
|
||||
Date: Tue, 19 Jul 2016 14:34:59 -0400
|
||||
Subject: [PATCH 07/21] selinux: Implement dentry_create_files_as() hook
|
||||
Subject: [PATCH 07/22] selinux: Implement dentry_create_files_as() hook
|
||||
|
||||
Calculate what would be the label of newly created file and set that secid
|
||||
in the passed creds.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 11eef9a6bb39e76cf94903fd09035a016105ecd3 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 17:58:15 -0400
|
||||
Subject: [PATCH 08/21] Add secure_modules() call
|
||||
Subject: [PATCH 08/22] Add secure_modules() call
|
||||
|
||||
Provide a single call to allow kernel code to determine whether the system
|
||||
has been configured to either disable module loading entirely or to load
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From e2e5d6241f6deda933501efc2bf8561ac0ee823c Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Thu, 8 Mar 2012 10:10:38 -0500
|
||||
Subject: [PATCH 09/21] PCI: Lock down BAR access when module security is
|
||||
Subject: [PATCH 09/22] PCI: Lock down BAR access when module security is
|
||||
enabled
|
||||
|
||||
Any hardware that can potentially generate DMA has to be locked down from
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From dac8156e6c3b022f9aa7fe74f9633c4b516d836b Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Thu, 8 Mar 2012 10:35:59 -0500
|
||||
Subject: [PATCH 10/21] x86: Lock down IO port access when module security is
|
||||
Subject: [PATCH 10/22] x86: Lock down IO port access when module security is
|
||||
enabled
|
||||
|
||||
IO port access would permit users to gain access to PCI configuration
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From af958e17249f457db4d717e930d03949a0409ce2 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 08:39:37 -0500
|
||||
Subject: [PATCH 11/21] ACPI: Limit access to custom_method
|
||||
Subject: [PATCH 11/22] ACPI: Limit access to custom_method
|
||||
|
||||
custom_method effectively allows arbitrary access to system memory, making
|
||||
it possible for an attacker to circumvent restrictions on module loading.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 78eca915fa66229e2a849010183ca05c2f32dcb7 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 08:46:50 -0500
|
||||
Subject: [PATCH 12/21] asus-wmi: Restrict debugfs interface when module
|
||||
Subject: [PATCH 12/22] asus-wmi: Restrict debugfs interface when module
|
||||
loading is restricted
|
||||
|
||||
We have no way of validating what all of the Asus WMI methods do on a
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From d012dc5ff32ac9a20c81c2666693d27795246803 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 09:28:15 -0500
|
||||
Subject: [PATCH 13/21] Restrict /dev/mem and /dev/kmem when module loading is
|
||||
Subject: [PATCH 13/22] Restrict /dev/mem and /dev/kmem when module loading is
|
||||
restricted
|
||||
|
||||
Allowing users to write to address space makes it possible for the kernel
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From c5afea751f473e5a4c3a3bc9ca6000210cc11d62 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@redhat.com>
|
||||
Date: Mon, 25 Jun 2012 19:57:30 -0400
|
||||
Subject: [PATCH 14/21] acpi: Ignore acpi_rsdp kernel parameter when module
|
||||
Subject: [PATCH 14/22] acpi: Ignore acpi_rsdp kernel parameter when module
|
||||
loading is restricted
|
||||
|
||||
This option allows userspace to pass the RSDP address to the kernel, which
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From ef69c624f93bfe1f239a3c8fd7c18434315063a4 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg59@coreos.com>
|
||||
Date: Thu, 19 Nov 2015 18:55:53 -0800
|
||||
Subject: [PATCH 15/21] kexec: Disable at runtime if the kernel enforces module
|
||||
Subject: [PATCH 15/22] kexec: Disable at runtime if the kernel enforces module
|
||||
loading restrictions
|
||||
|
||||
kexec permits the loading and execution of arbitrary code in ring 0, which
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 7328100467c24fb90c510aed529969e50a504fcf Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 8 Feb 2013 11:12:13 -0800
|
||||
Subject: [PATCH 16/21] x86: Restrict MSR access when module loading is
|
||||
Subject: [PATCH 16/22] x86: Restrict MSR access when module loading is
|
||||
restricted
|
||||
|
||||
Writing to MSRs should not be allowed if module loading is restricted,
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 30317cca0747b8e31f5e6f45804883bc2e0a8062 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 18:36:30 -0400
|
||||
Subject: [PATCH 17/21] Add option to automatically enforce module signatures
|
||||
Subject: [PATCH 17/22] Add option to automatically enforce module signatures
|
||||
when in Secure Boot mode
|
||||
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From fe523b61b4171c61dd3d8502f82ceca832e07455 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 27 Aug 2013 13:28:43 -0400
|
||||
Subject: [PATCH 18/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
|
||||
Subject: [PATCH 18/22] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
|
||||
|
||||
The functionality of the config option is dependent upon the platform being
|
||||
UEFI based. Reflect this in the config deps.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From e75618eb44390ca1a3c89116218bf95869534d54 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 27 Aug 2013 13:33:03 -0400
|
||||
Subject: [PATCH 19/21] efi: Add EFI_SECURE_BOOT bit
|
||||
Subject: [PATCH 19/22] efi: Add EFI_SECURE_BOOT bit
|
||||
|
||||
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
|
||||
for use with efi_enabled.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From e2c1136cd8b9ca7b1bab22d248275f48d1a304ab Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 20 Jun 2014 08:53:24 -0400
|
||||
Subject: [PATCH 20/21] hibernate: Disable in a signed modules environment
|
||||
Subject: [PATCH 20/22] hibernate: Disable in a signed modules environment
|
||||
|
||||
There is currently no way to verify the resume image when returning
|
||||
from hibernate. This might compromise the signed modules trust model,
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 7856850e71d8f561d4fdade202e9ce2992fb78bf Mon Sep 17 00:00:00 2001
|
||||
From: Vito Caputo <vito.caputo@coreos.com>
|
||||
Date: Wed, 25 Nov 2015 02:59:45 -0800
|
||||
Subject: [PATCH 21/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
|
||||
Subject: [PATCH 21/22] kbuild: derive relative path for KBUILD_SRC from CURDIR
|
||||
|
||||
This enables relocating source and build trees to different roots,
|
||||
provided they stay reachable relative to one another. Useful for
|
||||
|
||||
@ -0,0 +1,30 @@
|
||||
From b764ba9deb30b2b3b1089e6bd019235d8eeec7f0 Mon Sep 17 00:00:00 2001
|
||||
From: David Michael <david.michael@coreos.com>
|
||||
Date: Tue, 29 Nov 2016 11:15:12 -0800
|
||||
Subject: [PATCH 22/22] crypto: rsa - Add Makefile dependencies to fix parallel
|
||||
builds
|
||||
|
||||
Both asn1 headers are included by rsa_helper.c, so rsa_helper.o
|
||||
should explicitly depend on them.
|
||||
|
||||
Signed-off-by: David Michael <david.michael@coreos.com>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
---
|
||||
crypto/Makefile | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/crypto/Makefile b/crypto/Makefile
|
||||
index 99cc64ac..bd6a029 100644
|
||||
--- a/crypto/Makefile
|
||||
+++ b/crypto/Makefile
|
||||
@@ -40,6 +40,7 @@ obj-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o
|
||||
|
||||
$(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h
|
||||
$(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h
|
||||
+$(obj)/rsa_helper.o: $(obj)/rsapubkey-asn1.h $(obj)/rsaprivkey-asn1.h
|
||||
clean-files += rsapubkey-asn1.c rsapubkey-asn1.h
|
||||
clean-files += rsaprivkey-asn1.c rsaprivkey-asn1.h
|
||||
|
||||
--
|
||||
2.7.4
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user