coreos-{kernel,sources}: bump to 4.5.0

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest

@@ -1,2 +1 @@
-DIST linux-4.4.tar.xz 87295988 SHA256 401d7c8fef594999a460d10c72c5a94e9c2e1022f16795ec51746b0d165418b2 SHA512 13c8459933a8b80608e226a1398e3d1848352ace84bcfb7e6a4a33cb230bbe1ab719d4b58e067283df91ce5311be6d2d595fc8c19e2ae6ecc652499415614b3e WHIRLPOOL 02abc203d867404b9934aaa4c1e5b5dcbb0b0021e91a03f3a7e7fd224eed106821d8b4949f32a590536db150e5a88c16fcde88538777a26d0c17900f0257b1bc
+DIST linux-4.5.tar.xz 88375040 SHA256 a40defb401e01b37d6b8c8ad5c1bbab665be6ac6310cdeed59950c96b31a519c SHA512 cb0d5f30baff37dfea40fbc1119a1482182f95858c883e019ee3f81055c8efbdb9dba7dfc02ebcc4216db38f03ece58688e69efc0fce1dade359af30bd5426de WHIRLPOOL 8faa0b02c5733fc45dbe61f82a7022e9246b9b1665f27541d4afa5d14c310b9dce7a8532dfac8273898edf8c6923654ee2fbcf2cec1ec2a220f4c9f926f2b333
-DIST patch-4.4.6.xz 236492 SHA256 efea93ff30955d445344a83c36678fa8e64111219eeafea2a41fd4ee11f79d68 SHA512 73da057476eb31d818eed4b66c883f5ceec65f18ec8ea60d64e48334c7681af4ed4cf7eb8684481f705446a59fd124de9449d22e28805bc9617b6608ecec491d WHIRLPOOL dfd28d1c53887c5d1efb2ff763044ea5da58c276e4d1b1035f7796068aaee2fd603cf100ee1f1c03d88bf50451244f082ab60db04efc735eb31f44c52ec9ff94

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.6.ebuild

@@ -1,46 +0,0 @@
-# Copyright 2014 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-ETYPE="sources"
-inherit kernel-2
-detect_version
-
-DESCRIPTION="Full sources for the CoreOS Linux kernel"
-HOMEPAGE="http://www.kernel.org"
-SRC_URI="${KERNEL_URI}"
-
-KEYWORDS="amd64 arm64"
-IUSE=""
-
-PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
-
-# XXX: Note we must prefix the patch filenames with "z" to ensure they are
-# applied _after_ a potential patch-${KV}.patch file, present when building a
-# patchlevel revision.  We mustn't apply our patches first, it fails when the
-# local patches overlap with the upstream patch.
-
-# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g'
-UNIPATCH_LIST="
-		${PATCH_DIR}/z0001-Add-secure_modules-call.patch \
-		${PATCH_DIR}/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
-		${PATCH_DIR}/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \
-		${PATCH_DIR}/z0004-ACPI-Limit-access-to-custom_method.patch \
-		${PATCH_DIR}/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
-		${PATCH_DIR}/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
-		${PATCH_DIR}/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
-		${PATCH_DIR}/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
-		${PATCH_DIR}/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
-		${PATCH_DIR}/z0010-Add-option-to-automatically-enforce-module-signature.patch \
-		${PATCH_DIR}/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
-		${PATCH_DIR}/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch \
-		${PATCH_DIR}/z0013-hibernate-Disable-in-a-signed-modules-environment.patch \
-		${PATCH_DIR}/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch \
-		${PATCH_DIR}/z0015-Overlayfs-Use-copy-up-security-hooks.patch \
-		${PATCH_DIR}/z0016-SELinux-Stub-in-copy-up-handling.patch \
-		${PATCH_DIR}/z0017-SELinux-Handle-opening-of-a-unioned-file.patch \
-		${PATCH_DIR}/z0018-SELinux-Check-against-union-label-for-file-operation.patch \
-		${PATCH_DIR}/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
-		${PATCH_DIR}/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \
-		${PATCH_DIR}/z0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch \
-"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.5.0.ebuild

@@ -0,0 +1,46 @@
+# Copyright 2014 CoreOS, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+ETYPE="sources"
+inherit kernel-2
+detect_version
+
+DESCRIPTION="Full sources for the CoreOS Linux kernel"
+HOMEPAGE="http://www.kernel.org"
+SRC_URI="${KERNEL_URI}"
+
+KEYWORDS="amd64 arm64"
+IUSE=""
+
+PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
+
+# XXX: Note we must prefix the patch filenames with "z" to ensure they are
+# applied _after_ a potential patch-${KV}.patch file, present when building a
+# patchlevel revision.  We mustn't apply our patches first, it fails when the
+# local patches overlap with the upstream patch.
+
+# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g'
+UNIPATCH_LIST="
+		${PATCH_DIR}/0001-Add-secure_modules-call.patch \
+		${PATCH_DIR}/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
+		${PATCH_DIR}/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \
+		${PATCH_DIR}/0004-ACPI-Limit-access-to-custom_method.patch \
+		${PATCH_DIR}/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
+		${PATCH_DIR}/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
+		${PATCH_DIR}/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
+		${PATCH_DIR}/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
+		${PATCH_DIR}/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
+		${PATCH_DIR}/0010-Add-option-to-automatically-enforce-module-signature.patch \
+		${PATCH_DIR}/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
+		${PATCH_DIR}/0012-efi-Add-EFI_SECURE_BOOT-bit.patch \
+		${PATCH_DIR}/0013-hibernate-Disable-in-a-signed-modules-environment.patch \
+		${PATCH_DIR}/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch \
+		${PATCH_DIR}/0015-Overlayfs-Use-copy-up-security-hooks.patch \
+		${PATCH_DIR}/0016-SELinux-Stub-in-copy-up-handling.patch \
+		${PATCH_DIR}/0017-SELinux-Handle-opening-of-a-unioned-file.patch \
+		${PATCH_DIR}/0018-SELinux-Check-against-union-label-for-file-operation.patch \
+		${PATCH_DIR}/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch \
+		${PATCH_DIR}/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
+		${PATCH_DIR}/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \
+"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch

@@ -1,36 +0,0 @@
-From 19dcc9bee719a81d3b2ed1386e76c9c2ae5a87c7 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@coreos.com>
-Date: Tue, 1 Mar 2016 15:00:15 -0800
-Subject: [PATCH 21/21] Fix unallocated memory access in TPM eventlog code
-
-COmmit 0cc698 added support for handling endian fixups in the event log code
-but broke the binary log file in the process. Keep the endian code, but read
-the event data from the actual event rather than from unallocated RAM.
-
-Signed-off-by: Matthew Garrett <mjg59@coreos.com>
-Cc: stable@kernel.org
----
- drivers/char/tpm/tpm_eventlog.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c
-index bd72fb0..e47092c 100644
---- a/drivers/char/tpm/tpm_eventlog.c
-+++ b/drivers/char/tpm/tpm_eventlog.c
-@@ -244,7 +244,12 @@ static int tpm_binary_bios_measurements_show(struct seq_file *m, void *v)
- 
- 	tempPtr = (char *)&temp_event;
- 
--	for (i = 0; i < sizeof(struct tcpa_event) + temp_event.event_size; i++)
-+	for (i = 0; i < sizeof(struct tcpa_event); i++)
-+		seq_putc(m, tempPtr[i]);
-+
-+	tempPtr = (char *)&event->event_data;
-+
-+	for (i = 0; i < temp_event.event_size; i++)
- 		seq_putc(m, tempPtr[i]);
- 
- 	return 0;
--- 
-2.4.6
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0001-Add-secure_modules-call.patch

@@ -1,4 +1,4 @@
-From d4d385a22ccc111d15661600328527902c40739c Mon Sep 17 00:00:00 2001
+From fcf2db4366ca7c0ca81bfbee603b864b4347cbe5 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 17:58:15 -0400
 Subject: [PATCH 01/21] Add secure_modules() call
@@ -17,10 +17,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  2 files changed, 16 insertions(+)
 
 diff --git a/include/linux/module.h b/include/linux/module.h
-index 3a19c79..db38634 100644
+index 2bb0c30..ab13009 100644
 --- a/include/linux/module.h
 +++ b/include/linux/module.h
-@@ -635,6 +635,8 @@ static inline bool module_requested_async_probing(struct module *module)
+@@ -630,6 +630,8 @@ static inline bool module_requested_async_probing(struct module *module)
  	return module && module->async_probe_requested;
  }
  
@@ -29,7 +29,7 @@ index 3a19c79..db38634 100644
  #else /* !CONFIG_MODULES... */
  
  /* Given an address, look for it in the exception tables. */
-@@ -751,6 +753,10 @@ static inline bool module_requested_async_probing(struct module *module)
+@@ -746,6 +748,10 @@ static inline bool module_requested_async_probing(struct module *module)
  	return false;
  }
  
@@ -41,10 +41,10 @@ index 3a19c79..db38634 100644
  
  #ifdef CONFIG_SYSFS
 diff --git a/kernel/module.c b/kernel/module.c
-index 14833e6..88bd7ec 100644
+index 794ebe8..7dfb91b 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4101,3 +4101,13 @@ void module_layout(struct module *mod,
+@@ -4112,3 +4112,13 @@ void module_layout(struct module *mod,
  }
  EXPORT_SYMBOL(module_layout);
  #endif
@@ -59,5 +59,5 @@ index 14833e6..88bd7ec 100644
 +}
 +EXPORT_SYMBOL(secure_modules);
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch

@@ -1,4 +1,4 @@
-From 444f189f7e20976a2464a8dfd9619f716b7f523c Mon Sep 17 00:00:00 2001
+From 00d259d880af2beb8e40f54fc391f9bcff74dd8e Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:10:38 -0500
 Subject: [PATCH 02/21] PCI: Lock down BAR access when module security is
@@ -18,7 +18,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  3 files changed, 19 insertions(+), 2 deletions(-)
 
 diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index eead54c..bb59ecd 100644
+index 95d9e7b..0e249f1 100644
 --- a/drivers/pci/pci-sysfs.c
 +++ b/drivers/pci/pci-sysfs.c
 @@ -30,6 +30,7 @@
@@ -29,7 +29,7 @@ index eead54c..bb59ecd 100644
  #include "pci.h"
  
  static int sysfs_initialized;	/* = 0 */
-@@ -713,6 +714,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
+@@ -711,6 +712,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
  	loff_t init_off = off;
  	u8 *data = (u8 *) buf;
  
@@ -39,7 +39,7 @@ index eead54c..bb59ecd 100644
  	if (off > dev->cfg_size)
  		return 0;
  	if (off + count > dev->cfg_size) {
-@@ -1007,6 +1011,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
+@@ -998,6 +1002,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
  	resource_size_t start, end;
  	int i;
  
@@ -49,7 +49,7 @@ index eead54c..bb59ecd 100644
  	for (i = 0; i < PCI_ROM_RESOURCE; i++)
  		if (res == &pdev->resource[i])
  			break;
-@@ -1108,6 +1115,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
+@@ -1098,6 +1105,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
  				     struct bin_attribute *attr, char *buf,
  				     loff_t off, size_t count)
  {
@@ -114,5 +114,5 @@ index b91c4da..98f5637 100644
  
  	dev = pci_get_bus_and_slot(bus, dfn);
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch

@@ -1,4 +1,4 @@
-From 2277563f06778502ded6abe65d843f2b60b3ce03 Mon Sep 17 00:00:00 2001
+From b6df0aa8a4a37a61c84eaa81d7e5ceef59e2aa59 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:35:59 -0500
 Subject: [PATCH 03/21] x86: Lock down IO port access when module security is
@@ -46,7 +46,7 @@ index 37dae79..1ecc03c 100644
  	}
  	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 6b1721f..53fe675 100644
+index 4f6f94c..9d53d66 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -27,6 +27,7 @@
@@ -68,5 +68,5 @@ index 6b1721f..53fe675 100644
  		return -EFAULT;
  	while (count-- > 0 && i < 65536) {
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0004-ACPI-Limit-access-to-custom_method.patch

@@ -1,4 +1,4 @@
-From b033a8984baef5309907d1bda6323063522a9e26 Mon Sep 17 00:00:00 2001
+From 23fd87347efce05c7500210e38c4e557d2314b65 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:39:37 -0500
 Subject: [PATCH 04/21] ACPI: Limit access to custom_method
@@ -27,5 +27,5 @@ index c68e724..4277938 100644
  		/* parse the table header to get the table length */
  		if (count <= sizeof(struct acpi_table_header))
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch

@@ -1,4 +1,4 @@
-From 0ead62ff1092f98ebba09c35a7877fa7cb8b84aa Mon Sep 17 00:00:00 2001
+From cb9a6384b9fb18f33bdf2717df93aba01e32b17d Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:46:50 -0500
 Subject: [PATCH 05/21] asus-wmi: Restrict debugfs interface when module
@@ -16,10 +16,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  1 file changed, 9 insertions(+)
 
 diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index f96f7b8..01af903 100644
+index a96630d..92bf6b1 100644
 --- a/drivers/platform/x86/asus-wmi.c
 +++ b/drivers/platform/x86/asus-wmi.c
-@@ -1870,6 +1870,9 @@ static int show_dsts(struct seq_file *m, void *data)
+@@ -1867,6 +1867,9 @@ static int show_dsts(struct seq_file *m, void *data)
  	int err;
  	u32 retval = -1;
  
@@ -29,7 +29,7 @@ index f96f7b8..01af903 100644
  	err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
  
  	if (err < 0)
-@@ -1886,6 +1889,9 @@ static int show_devs(struct seq_file *m, void *data)
+@@ -1883,6 +1886,9 @@ static int show_devs(struct seq_file *m, void *data)
  	int err;
  	u32 retval = -1;
  
@@ -39,7 +39,7 @@ index f96f7b8..01af903 100644
  	err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
  				    &retval);
  
-@@ -1910,6 +1916,9 @@ static int show_call(struct seq_file *m, void *data)
+@@ -1907,6 +1913,9 @@ static int show_call(struct seq_file *m, void *data)
  	union acpi_object *obj;
  	acpi_status status;
  
@@ -50,5 +50,5 @@ index f96f7b8..01af903 100644
  				     1, asus->debug.method_id,
  				     &input, &output);
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch

@@ -1,4 +1,4 @@
-From 78754044710d2afc46b910b3de24775ae6fdf0c5 Mon Sep 17 00:00:00 2001
+From eecc59493292b4fc199cee082b88f2deec02018d Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 09:28:15 -0500
 Subject: [PATCH 06/21] Restrict /dev/mem and /dev/kmem when module loading is
@@ -14,7 +14,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 53fe675..b52c888 100644
+index 9d53d66..918f43a 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -167,6 +167,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
@@ -38,5 +38,5 @@ index 53fe675..b52c888 100644
  		unsigned long to_write = min_t(unsigned long, count,
  					       (unsigned long)high_memory - p);
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch

@@ -1,4 +1,4 @@
-From c874298a9a0bf7d9041d6462c0225d17ad6e478d Mon Sep 17 00:00:00 2001
+From e2d101b00ccfba464fd82db710dcae260c17fc1d Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Mon, 25 Jun 2012 19:57:30 -0400
 Subject: [PATCH 07/21] acpi: Ignore acpi_rsdp kernel parameter when module
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 32d684a..f8570a0 100644
+index 67da6fb..e027761 100644
 --- a/drivers/acpi/osl.c
 +++ b/drivers/acpi/osl.c
 @@ -40,6 +40,7 @@
@@ -25,7 +25,7 @@ index 32d684a..f8570a0 100644
  
  #include <asm/io.h>
  #include <asm/uaccess.h>
-@@ -252,7 +253,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
+@@ -254,7 +255,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
  acpi_physical_address __init acpi_os_get_root_pointer(void)
  {
  #ifdef CONFIG_KEXEC
@@ -35,5 +35,5 @@ index 32d684a..f8570a0 100644
  #endif
  
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch

@@ -1,4 +1,4 @@
-From 4b0506ea0496f3fc847cdd7a6ef2966867d08f05 Mon Sep 17 00:00:00 2001
+From cebac394600acad86fac15fbafc01693ab6fdd5c Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Thu, 19 Nov 2015 18:55:53 -0800
 Subject: [PATCH 08/21] kexec: Disable at runtime if the kernel enforces module
@@ -14,7 +14,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/kernel/kexec.c b/kernel/kexec.c
-index d873b64..3d09642 100644
+index ee70aef..755198b 100644
 --- a/kernel/kexec.c
 +++ b/kernel/kexec.c
 @@ -17,6 +17,7 @@
@@ -35,5 +35,5 @@ index d873b64..3d09642 100644
  
  	/*
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch

@@ -1,4 +1,4 @@
-From 5fe1e81ed7603157e00c8e333754225f5dcf8557 Mon Sep 17 00:00:00 2001
+From fe362fcdfb3eda249a88790c4d6003a551c586cd Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 8 Feb 2013 11:12:13 -0800
 Subject: [PATCH 09/21] x86: Restrict MSR access when module loading is
@@ -15,10 +15,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  1 file changed, 7 insertions(+)
 
 diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
-index 113e707..26c2f83 100644
+index 64f9616..7fde015 100644
 --- a/arch/x86/kernel/msr.c
 +++ b/arch/x86/kernel/msr.c
-@@ -105,6 +105,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
+@@ -83,6 +83,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
  	int err = 0;
  	ssize_t bytes = 0;
  
@@ -28,7 +28,7 @@ index 113e707..26c2f83 100644
  	if (count % 8)
  		return -EINVAL;	/* Invalid chunk size */
  
-@@ -152,6 +155,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
+@@ -130,6 +133,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
  			err = -EBADF;
  			break;
  		}
@@ -40,5 +40,5 @@ index 113e707..26c2f83 100644
  			err = -EFAULT;
  			break;
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0010-Add-option-to-automatically-enforce-module-signature.patch

@@ -1,4 +1,4 @@
-From 1a1dd3d6e85dc69e8eb5991dedf2c4030fb10366 Mon Sep 17 00:00:00 2001
+From 323216a1694f4d402ce89432d75b7d2756417b68 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 18:36:30 -0400
 Subject: [PATCH 10/21] Add option to automatically enforce module signatures
@@ -34,10 +34,10 @@ index 95a4d34..b8527c6 100644
  290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
  2D0/A00	ALL	e820_map	E820 memory map table
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index db3622f..5578b6e 100644
+index c46662f..a10f771 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1720,6 +1720,16 @@ config EFI_MIXED
+@@ -1754,6 +1754,16 @@ config EFI_MIXED
  
  	   If unsure, say N.
  
@@ -130,10 +130,10 @@ index 3292543..b61f853 100644
  	 * The sentinel is set to a nonzero value (0xff) in header.S.
  	 *
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index d2bbe34..a35c42f 100644
+index d3d80e6..94eb7dd 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1143,6 +1143,12 @@ void __init setup_arch(char **cmdline_p)
+@@ -1145,6 +1145,12 @@ void __init setup_arch(char **cmdline_p)
  
  	io_delay_init();
  
@@ -147,7 +147,7 @@ index d2bbe34..a35c42f 100644
  	 * Parse the ACPI tables for possible boot-time SMP configuration.
  	 */
 diff --git a/include/linux/module.h b/include/linux/module.h
-index db38634..4b8df91 100644
+index ab13009..e072b84 100644
 --- a/include/linux/module.h
 +++ b/include/linux/module.h
 @@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
@@ -164,10 +164,10 @@ index db38634..4b8df91 100644
  
  extern int modules_disabled; /* for sysctl */
 diff --git a/kernel/module.c b/kernel/module.c
-index 88bd7ec..e5117b67 100644
+index 7dfb91b..6eb3c6c 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4102,6 +4102,13 @@ void module_layout(struct module *mod,
+@@ -4113,6 +4113,13 @@ void module_layout(struct module *mod,
  EXPORT_SYMBOL(module_layout);
  #endif
  
@@ -182,5 +182,5 @@ index 88bd7ec..e5117b67 100644
  {
  #ifdef CONFIG_MODULE_SIG
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch

@@ -1,4 +1,4 @@
-From 47adb92861b5ed64dfb451c87df65e3190c84559 Mon Sep 17 00:00:00 2001
+From dbfa35d390791ae9c39f043fe0209c4fc4b1ec7b Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:28:43 -0400
 Subject: [PATCH 11/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
@@ -12,10 +12,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 5578b6e..da9ae8a 100644
+index a10f771..36a2818 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1721,7 +1721,8 @@ config EFI_MIXED
+@@ -1755,7 +1755,8 @@ config EFI_MIXED
  	   If unsure, say N.
  
  config EFI_SECURE_BOOT_SIG_ENFORCE
@@ -26,5 +26,5 @@ index 5578b6e..da9ae8a 100644
  	---help---
  	  UEFI Secure Boot provides a mechanism for ensuring that the
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0012-efi-Add-EFI_SECURE_BOOT-bit.patch

@@ -1,4 +1,4 @@
-From f65b02e6559706984f60260fd7b56e62230c4a18 Mon Sep 17 00:00:00 2001
+From f8c98a5d526a3627cad4dd5b6cc81bf12f862326 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:33:03 -0400
 Subject: [PATCH 12/21] efi: Add EFI_SECURE_BOOT bit
@@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  2 files changed, 3 insertions(+)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index a35c42f..e96398f 100644
+index 94eb7dd..7c9fc347 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1145,7 +1145,9 @@ void __init setup_arch(char **cmdline_p)
+@@ -1147,7 +1147,9 @@ void __init setup_arch(char **cmdline_p)
  
  #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
  	if (boot_params.secure_boot) {
@@ -27,7 +27,7 @@ index a35c42f..e96398f 100644
  #endif
  
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 569b5a8..4dc970e 100644
+index 47be3ad..9bf95e8 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
 @@ -980,6 +980,7 @@ extern int __init efi_setup_pcdp_console(char *);
@@ -39,5 +39,5 @@ index 569b5a8..4dc970e 100644
  #ifdef CONFIG_EFI
  /*
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0013-hibernate-Disable-in-a-signed-modules-environment.patch

@@ -1,4 +1,4 @@
-From 6c9baf862507876196ad55c98604cc75fa4c1b3d Mon Sep 17 00:00:00 2001
+From 5cb706dfbad58dfee5ee54346d47d1cb588219c3 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 20 Jun 2014 08:53:24 -0400
 Subject: [PATCH 13/21] hibernate: Disable in a signed modules environment
@@ -35,5 +35,5 @@ index b7342a2..8a6b218 100644
  
  /**
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch

@@ -1,4 +1,4 @@
-From 2302270e90b6a78ce6a0de8ec5fa18072875b01d Mon Sep 17 00:00:00 2001
+From 7aa0a80475c2c565a5128d85c148af92560c8fa3 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:31 +0100
 Subject: [PATCH 14/21] Security: Provide copy-up security hooks for unioned
@@ -21,7 +21,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  3 files changed, 54 insertions(+)
 
 diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
-index ec3a6ba..8c0c524 100644
+index 71969de..f5b7267 100644
 --- a/include/linux/lsm_hooks.h
 +++ b/include/linux/lsm_hooks.h
 @@ -401,6 +401,24 @@
@@ -49,17 +49,17 @@ index ec3a6ba..8c0c524 100644
   *
   * Security hooks for file operations
   *
-@@ -1421,6 +1439,9 @@ union security_list_options {
+@@ -1425,6 +1443,9 @@ union security_list_options {
  	int (*inode_listsecurity)(struct inode *inode, char *buffer,
  					size_t buffer_size);
- 	void (*inode_getsecid)(const struct inode *inode, u32 *secid);
+ 	void (*inode_getsecid)(struct inode *inode, u32 *secid);
 +	int (*inode_copy_up) (struct dentry *src, struct dentry *dst);
 +	int (*inode_copy_up_xattr) (struct dentry *src, struct dentry *dst,
 +				    const char *name, void *value, size_t *size);
  
  	int (*file_permission)(struct file *file, int mask);
  	int (*file_alloc_security)(struct file *file);
-@@ -1689,6 +1710,8 @@ struct security_hook_heads {
+@@ -1694,6 +1715,8 @@ struct security_hook_heads {
  	struct list_head inode_setsecurity;
  	struct list_head inode_listsecurity;
  	struct list_head inode_getsecid;
@@ -69,13 +69,13 @@ index ec3a6ba..8c0c524 100644
  	struct list_head file_alloc_security;
  	struct list_head file_free_security;
 diff --git a/include/linux/security.h b/include/linux/security.h
-index 2f4c1f7..ec21144 100644
+index 4824a4c..1f9ea40 100644
 --- a/include/linux/security.h
 +++ b/include/linux/security.h
-@@ -274,6 +274,10 @@ int security_inode_getsecurity(const struct inode *inode, const char *name, void
+@@ -274,6 +274,10 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf
  int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
  int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
- void security_inode_getsecid(const struct inode *inode, u32 *secid);
+ void security_inode_getsecid(struct inode *inode, u32 *secid);
 +int security_inode_copy_up(struct dentry *src, struct dentry *dst);
 +int security_inode_copy_up_xattr(struct dentry *src, struct dentry *dst,
 +				 const char *name, void *value, size_t *size);
@@ -83,7 +83,7 @@ index 2f4c1f7..ec21144 100644
  int security_file_permission(struct file *file, int mask);
  int security_file_alloc(struct file *file);
  void security_file_free(struct file *file);
-@@ -739,6 +743,16 @@ static inline void security_inode_getsecid(const struct inode *inode, u32 *secid
+@@ -740,6 +744,16 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
  	*secid = 0;
  }
  
@@ -101,10 +101,10 @@ index 2f4c1f7..ec21144 100644
  {
  	return 0;
 diff --git a/security/security.c b/security/security.c
-index 46f405c..e33c5d5 100644
+index e8ffd92..f1a1dbf 100644
 --- a/security/security.c
 +++ b/security/security.c
-@@ -726,6 +726,19 @@ void security_inode_getsecid(const struct inode *inode, u32 *secid)
+@@ -726,6 +726,19 @@ void security_inode_getsecid(struct inode *inode, u32 *secid)
  	call_void_hook(inode_getsecid, inode, secid);
  }
  
@@ -124,7 +124,7 @@ index 46f405c..e33c5d5 100644
  int security_file_permission(struct file *file, int mask)
  {
  	int ret;
-@@ -1654,6 +1667,10 @@ struct security_hook_heads security_hook_heads = {
+@@ -1660,6 +1673,10 @@ struct security_hook_heads security_hook_heads = {
  		LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
  	.inode_getsecid =
  		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
@@ -136,5 +136,5 @@ index 46f405c..e33c5d5 100644
  		LIST_HEAD_INIT(security_hook_heads.file_permission),
  	.file_alloc_security =
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0015-Overlayfs-Use-copy-up-security-hooks.patch

@@ -1,4 +1,4 @@
-From b8b4027d3d1666411c8f323236fe8c8c3a454137 Mon Sep 17 00:00:00 2001
+From 72e28365e6ab54a078af74a958ed25ad85228b31 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:31 +0100
 Subject: [PATCH 15/21] Overlayfs: Use copy-up security hooks
@@ -13,7 +13,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 12 insertions(+)
 
 diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
-index eff6319..e153e17 100644
+index d894e7c..fa6610a 100644
 --- a/fs/overlayfs/copy_up.c
 +++ b/fs/overlayfs/copy_up.c
 @@ -70,6 +70,14 @@ retry:
@@ -23,7 +23,7 @@ index eff6319..e153e17 100644
 +		error = security_inode_copy_up_xattr(old, new,
 +						     name, value, &size);
 +		if (error < 0)
-+			break;
++			goto out_free_value;
 +		if (error == 1) {
 +			error = 0;
 +			continue; /* Discard */
@@ -43,5 +43,5 @@ index eff6319..e153e17 100644
  		struct path upperpath;
  		ovl_path_upper(dentry, &upperpath);
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0016-SELinux-Stub-in-copy-up-handling.patch

@@ -1,4 +1,4 @@
-From 98e460005ad53f5c92fc070a177bcb2f5daa8d7d Mon Sep 17 00:00:00 2001
+From 7640e15f1c2473e7d698e5f66aa7290f4f1b5fcd Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
 Subject: [PATCH 16/21] SELinux: Stub in copy-up handling
@@ -13,10 +13,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 20 insertions(+)
 
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index d0cfaa9..d062209 100644
+index f1ab715..d361b74 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
-@@ -3188,6 +3188,24 @@ static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
+@@ -3253,6 +3253,24 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
  	*secid = isec->sid;
  }
  
@@ -41,7 +41,7 @@ index d0cfaa9..d062209 100644
  /* file security operations */
  
  static int selinux_revalidate_file_permission(struct file *file, int mask)
-@@ -5919,6 +5937,8 @@ static struct security_hook_list selinux_hooks[] = {
+@@ -5996,6 +6014,8 @@ static struct security_hook_list selinux_hooks[] = {
  	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
  	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
  	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
@@ -51,5 +51,5 @@ index d0cfaa9..d062209 100644
  	LSM_HOOK_INIT(file_permission, selinux_file_permission),
  	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0017-SELinux-Handle-opening-of-a-unioned-file.patch

@@ -1,4 +1,4 @@
-From 3bdeb87a02c98c290c46aad2d16b1a70a28ee19e Mon Sep 17 00:00:00 2001
+From dfaa3503791924a8ffebbed60073f5f8715093a3 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
 Subject: [PATCH 17/21] SELinux: Handle opening of a unioned file
@@ -26,10 +26,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  2 files changed, 70 insertions(+)
 
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index d062209..5f0a11f 100644
+index d361b74..7186928 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
-@@ -3518,10 +3518,72 @@ static int selinux_file_receive(struct file *file)
+@@ -3584,10 +3584,72 @@ static int selinux_file_receive(struct file *file)
  	return file_has_perm(cred, file, file_to_av(file));
  }
  
@@ -101,8 +101,8 @@ index d062209..5f0a11f 100644
 +	int rc;
  
  	fsec = file->f_security;
- 	isec = file_inode(file)->i_security;
+ 	isec = inode_security(file_inode(file));
-@@ -3542,6 +3604,13 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
+@@ -3608,6 +3670,13 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
  	 * new inode label or new policy.
  	 * This check is not redundant - do not remove.
  	 */
@@ -117,10 +117,10 @@ index d062209..5f0a11f 100644
  }
  
 diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
-index 81fa718..f088c08 100644
+index a2ae054..54cce84 100644
 --- a/security/selinux/include/objsec.h
 +++ b/security/selinux/include/objsec.h
-@@ -54,6 +54,7 @@ struct file_security_struct {
+@@ -60,6 +60,7 @@ struct file_security_struct {
  	u32 sid;		/* SID of open file description */
  	u32 fown_sid;		/* SID of file owner (for SIGIO) */
  	u32 isid;		/* SID of inode at the time of file open */
@@ -129,5 +129,5 @@ index 81fa718..f088c08 100644
  };
  
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0018-SELinux-Check-against-union-label-for-file-operation.patch

@@ -1,4 +1,4 @@
-From 19c9589933e63e418736e12aeff9d4f5b08054e7 Mon Sep 17 00:00:00 2001
+From 52ad0951b6bfb8f10f57d6c26dca14925c772539 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
 Subject: [PATCH 18/21] SELinux: Check against union label for file operations
@@ -16,10 +16,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 10 insertions(+), 2 deletions(-)
 
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 5f0a11f..e33019e 100644
+index 7186928..a44cca7 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
-@@ -1682,6 +1682,7 @@ static int file_has_perm(const struct cred *cred,
+@@ -1745,6 +1745,7 @@ static int file_has_perm(const struct cred *cred,
  			 struct file *file,
  			 u32 av)
  {
@@ -27,7 +27,7 @@ index 5f0a11f..e33019e 100644
  	struct file_security_struct *fsec = file->f_security;
  	struct inode *inode = file_inode(file);
  	struct common_audit_data ad;
-@@ -1702,8 +1703,15 @@ static int file_has_perm(const struct cred *cred,
+@@ -1765,8 +1766,15 @@ static int file_has_perm(const struct cred *cred,
  
  	/* av is zero if only checking access to the descriptor. */
  	rc = 0;
@@ -46,5 +46,5 @@ index 5f0a11f..e33019e 100644
  out:
  	return rc;
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch

@@ -0,0 +1,41 @@
+From 6f36c5dba801f60119a75e20dd9df5369f005144 Mon Sep 17 00:00:00 2001
+From: Vito Caputo <vito.caputo@coreos.com>
+Date: Mon, 19 Oct 2015 17:53:12 -0700
+Subject: [PATCH 19/21] overlayfs: use a minimal buffer in ovl_copy_xattr
+
+Rather than always allocating the high-order XATTR_SIZE_MAX buffer
+which is costly and prone to failure, only allocate what is needed and
+realloc if necessary.
+
+Fixes https://github.com/coreos/bugs/issues/489
+---
+ fs/overlayfs/copy_up.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
+index fa6610a..78c1aa3 100644
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -70,6 +70,19 @@ retry:
+ 			value_size = size;
+ 			goto retry;
+ 		}
++
++		if (size > value_size) {
++			void *new;
++			new = krealloc(value, size, GFP_KERNEL);
++			if (!new) {
++				error = -ENOMEM;
++				goto out_free_value;
++			}
++			value = new;
++			value_size = size;
++			goto retry;
++		}
++
+ 		error = security_inode_copy_up_xattr(old, new,
+ 						     name, value, &size);
+ 		if (error < 0)
+-- 
+2.7.3
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch

@@ -1,7 +1,7 @@
-From 274bc65fa0a1185d50b45fe84a8647af63cdb6ee Mon Sep 17 00:00:00 2001
+From 446a9480ed10cff1f2657b94d21f4b40edaf0140 Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 19/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 20/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
@@ -12,7 +12,7 @@ by some undesirable path component.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 802be10..2d2f994 100644
+index 7b3ecdc..7d950e4 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -143,7 +143,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
@@ -26,5 +26,5 @@ index 802be10..2d2f994 100644
  
  # Leave processing to above invocation of make
 -- 
-2.4.6
+2.7.3
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch

@@ -1,7 +1,7 @@
-From 18b8e9f92afd62598d454e68138dda551ce7d381 Mon Sep 17 00:00:00 2001
+From b9136a24769ff9012e96ca4936108ffc5995916e Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Tue, 22 Dec 2015 07:43:52 +0000
-Subject: [PATCH 20/21] Don't verify write permissions on lower inodes on
+Subject: [PATCH 21/21] Don't verify write permissions on lower inodes on
  overlayfs
 
 If a user opens a file r/w on overlayfs, and if the underlying inode is
@@ -19,10 +19,10 @@ the selinux permissions check if that flag is set.
  3 files changed, 13 insertions(+)
 
 diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
-index b29036a..545b856 100644
+index a4ff5d0..6ba3443 100644
 --- a/fs/overlayfs/inode.c
 +++ b/fs/overlayfs/inode.c
-@@ -138,6 +138,9 @@ int ovl_permission(struct inode *inode, int mask)
+@@ -163,6 +163,9 @@ int ovl_permission(struct inode *inode, int mask)
  			goto out_dput;
  	}
  
@@ -33,10 +33,10 @@ index b29036a..545b856 100644
  out_dput:
  	dput(alias);
 diff --git a/include/linux/fs.h b/include/linux/fs.h
-index 3aa5142..5712013 100644
+index ae68100..fb6e94b 100644
 --- a/include/linux/fs.h
 +++ b/include/linux/fs.h
-@@ -82,6 +82,7 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate);
+@@ -83,6 +83,7 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate);
  #define MAY_CHDIR		0x00000040
  /* called from RCU mode, don't block */
  #define MAY_NOT_BLOCK		0x00000080
@@ -45,10 +45,10 @@ index 3aa5142..5712013 100644
  /*
   * flags in file.f_mode.  Note that FMODE_READ and FMODE_WRITE must correspond
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index e33019e..48746ee 100644
+index a44cca7..f5ca93c 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
-@@ -2904,6 +2904,15 @@ static int selinux_inode_permission(struct inode *inode, int mask)
+@@ -2967,6 +2967,15 @@ static int selinux_inode_permission(struct inode *inode, int mask)
  	u32 audited, denied;
  
  	from_access = mask & MAY_ACCESS;
@@ -65,5 +65,5 @@ index e33019e..48746ee 100644
  
  	/* No permission to check.  Existence test. */
 -- 
-2.4.6
+2.7.3