diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.4.6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.5.0.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.4.6.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.5.0.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index 29e2a7a552..e21570c206 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1 @@ -DIST linux-4.4.tar.xz 87295988 SHA256 401d7c8fef594999a460d10c72c5a94e9c2e1022f16795ec51746b0d165418b2 SHA512 13c8459933a8b80608e226a1398e3d1848352ace84bcfb7e6a4a33cb230bbe1ab719d4b58e067283df91ce5311be6d2d595fc8c19e2ae6ecc652499415614b3e WHIRLPOOL 02abc203d867404b9934aaa4c1e5b5dcbb0b0021e91a03f3a7e7fd224eed106821d8b4949f32a590536db150e5a88c16fcde88538777a26d0c17900f0257b1bc -DIST patch-4.4.6.xz 236492 SHA256 efea93ff30955d445344a83c36678fa8e64111219eeafea2a41fd4ee11f79d68 SHA512 73da057476eb31d818eed4b66c883f5ceec65f18ec8ea60d64e48334c7681af4ed4cf7eb8684481f705446a59fd124de9449d22e28805bc9617b6608ecec491d WHIRLPOOL dfd28d1c53887c5d1efb2ff763044ea5da58c276e4d1b1035f7796068aaee2fd603cf100ee1f1c03d88bf50451244f082ab60db04efc735eb31f44c52ec9ff94 +DIST linux-4.5.tar.xz 88375040 SHA256 a40defb401e01b37d6b8c8ad5c1bbab665be6ac6310cdeed59950c96b31a519c SHA512 cb0d5f30baff37dfea40fbc1119a1482182f95858c883e019ee3f81055c8efbdb9dba7dfc02ebcc4216db38f03ece58688e69efc0fce1dade359af30bd5426de WHIRLPOOL 8faa0b02c5733fc45dbe61f82a7022e9246b9b1665f27541d4afa5d14c310b9dce7a8532dfac8273898edf8c6923654ee2fbcf2cec1ec2a220f4c9f926f2b333 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.6.ebuild deleted file mode 100644 index b31615da8a..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.6.ebuild +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright 2014 CoreOS, Inc. -# Distributed under the terms of the GNU General Public License v2 - -EAPI="5" -ETYPE="sources" -inherit kernel-2 -detect_version - -DESCRIPTION="Full sources for the CoreOS Linux kernel" -HOMEPAGE="http://www.kernel.org" -SRC_URI="${KERNEL_URI}" - -KEYWORDS="amd64 arm64" -IUSE="" - -PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" - -# XXX: Note we must prefix the patch filenames with "z" to ensure they are -# applied _after_ a potential patch-${KV}.patch file, present when building a -# patchlevel revision. We mustn't apply our patches first, it fails when the -# local patches overlap with the upstream patch. - -# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g' -UNIPATCH_LIST=" - ${PATCH_DIR}/z0001-Add-secure_modules-call.patch \ - ${PATCH_DIR}/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ - ${PATCH_DIR}/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \ - ${PATCH_DIR}/z0004-ACPI-Limit-access-to-custom_method.patch \ - ${PATCH_DIR}/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ - ${PATCH_DIR}/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ - ${PATCH_DIR}/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ - ${PATCH_DIR}/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ - ${PATCH_DIR}/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ - ${PATCH_DIR}/z0010-Add-option-to-automatically-enforce-module-signature.patch \ - ${PATCH_DIR}/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ - ${PATCH_DIR}/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch \ - ${PATCH_DIR}/z0013-hibernate-Disable-in-a-signed-modules-environment.patch \ - ${PATCH_DIR}/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch \ - ${PATCH_DIR}/z0015-Overlayfs-Use-copy-up-security-hooks.patch \ - ${PATCH_DIR}/z0016-SELinux-Stub-in-copy-up-handling.patch \ - ${PATCH_DIR}/z0017-SELinux-Handle-opening-of-a-unioned-file.patch \ - ${PATCH_DIR}/z0018-SELinux-Check-against-union-label-for-file-operation.patch \ - ${PATCH_DIR}/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ - ${PATCH_DIR}/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \ - ${PATCH_DIR}/z0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch \ -" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.5.0.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.5.0.ebuild new file mode 100644 index 0000000000..3dfa523e47 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.5.0.ebuild @@ -0,0 +1,46 @@ +# Copyright 2014 CoreOS, Inc. +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" +ETYPE="sources" +inherit kernel-2 +detect_version + +DESCRIPTION="Full sources for the CoreOS Linux kernel" +HOMEPAGE="http://www.kernel.org" +SRC_URI="${KERNEL_URI}" + +KEYWORDS="amd64 arm64" +IUSE="" + +PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" + +# XXX: Note we must prefix the patch filenames with "z" to ensure they are +# applied _after_ a potential patch-${KV}.patch file, present when building a +# patchlevel revision. We mustn't apply our patches first, it fails when the +# local patches overlap with the upstream patch. + +# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g' +UNIPATCH_LIST=" + ${PATCH_DIR}/0001-Add-secure_modules-call.patch \ + ${PATCH_DIR}/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ + ${PATCH_DIR}/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \ + ${PATCH_DIR}/0004-ACPI-Limit-access-to-custom_method.patch \ + ${PATCH_DIR}/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ + ${PATCH_DIR}/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ + ${PATCH_DIR}/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ + ${PATCH_DIR}/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ + ${PATCH_DIR}/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ + ${PATCH_DIR}/0010-Add-option-to-automatically-enforce-module-signature.patch \ + ${PATCH_DIR}/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ + ${PATCH_DIR}/0012-efi-Add-EFI_SECURE_BOOT-bit.patch \ + ${PATCH_DIR}/0013-hibernate-Disable-in-a-signed-modules-environment.patch \ + ${PATCH_DIR}/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch \ + ${PATCH_DIR}/0015-Overlayfs-Use-copy-up-security-hooks.patch \ + ${PATCH_DIR}/0016-SELinux-Stub-in-copy-up-handling.patch \ + ${PATCH_DIR}/0017-SELinux-Handle-opening-of-a-unioned-file.patch \ + ${PATCH_DIR}/0018-SELinux-Check-against-union-label-for-file-operation.patch \ + ${PATCH_DIR}/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch \ + ${PATCH_DIR}/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ + ${PATCH_DIR}/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \ +" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch deleted file mode 100644 index 2a7b961cbc..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 19dcc9bee719a81d3b2ed1386e76c9c2ae5a87c7 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Tue, 1 Mar 2016 15:00:15 -0800 -Subject: [PATCH 21/21] Fix unallocated memory access in TPM eventlog code - -COmmit 0cc698 added support for handling endian fixups in the event log code -but broke the binary log file in the process. Keep the endian code, but read -the event data from the actual event rather than from unallocated RAM. - -Signed-off-by: Matthew Garrett -Cc: stable@kernel.org ---- - drivers/char/tpm/tpm_eventlog.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c -index bd72fb0..e47092c 100644 ---- a/drivers/char/tpm/tpm_eventlog.c -+++ b/drivers/char/tpm/tpm_eventlog.c -@@ -244,7 +244,12 @@ static int tpm_binary_bios_measurements_show(struct seq_file *m, void *v) - - tempPtr = (char *)&temp_event; - -- for (i = 0; i < sizeof(struct tcpa_event) + temp_event.event_size; i++) -+ for (i = 0; i < sizeof(struct tcpa_event); i++) -+ seq_putc(m, tempPtr[i]); -+ -+ tempPtr = (char *)&event->event_data; -+ -+ for (i = 0; i < temp_event.event_size; i++) - seq_putc(m, tempPtr[i]); - - return 0; --- -2.4.6 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0001-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0001-Add-secure_modules-call.patch similarity index 81% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0001-Add-secure_modules-call.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0001-Add-secure_modules-call.patch index 2580100d01..e8d74e1617 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0001-Add-secure_modules-call.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0001-Add-secure_modules-call.patch @@ -1,4 +1,4 @@ -From d4d385a22ccc111d15661600328527902c40739c Mon Sep 17 00:00:00 2001 +From fcf2db4366ca7c0ca81bfbee603b864b4347cbe5 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 17:58:15 -0400 Subject: [PATCH 01/21] Add secure_modules() call @@ -17,10 +17,10 @@ Signed-off-by: Matthew Garrett 2 files changed, 16 insertions(+) diff --git a/include/linux/module.h b/include/linux/module.h -index 3a19c79..db38634 100644 +index 2bb0c30..ab13009 100644 --- a/include/linux/module.h +++ b/include/linux/module.h -@@ -635,6 +635,8 @@ static inline bool module_requested_async_probing(struct module *module) +@@ -630,6 +630,8 @@ static inline bool module_requested_async_probing(struct module *module) return module && module->async_probe_requested; } @@ -29,7 +29,7 @@ index 3a19c79..db38634 100644 #else /* !CONFIG_MODULES... */ /* Given an address, look for it in the exception tables. */ -@@ -751,6 +753,10 @@ static inline bool module_requested_async_probing(struct module *module) +@@ -746,6 +748,10 @@ static inline bool module_requested_async_probing(struct module *module) return false; } @@ -41,10 +41,10 @@ index 3a19c79..db38634 100644 #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c -index 14833e6..88bd7ec 100644 +index 794ebe8..7dfb91b 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4101,3 +4101,13 @@ void module_layout(struct module *mod, +@@ -4112,3 +4112,13 @@ void module_layout(struct module *mod, } EXPORT_SYMBOL(module_layout); #endif @@ -59,5 +59,5 @@ index 14833e6..88bd7ec 100644 +} +EXPORT_SYMBOL(secure_modules); -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch index 8a0e7f1c0f..b8f748a4f7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch @@ -1,4 +1,4 @@ -From 444f189f7e20976a2464a8dfd9619f716b7f523c Mon Sep 17 00:00:00 2001 +From 00d259d880af2beb8e40f54fc391f9bcff74dd8e Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:10:38 -0500 Subject: [PATCH 02/21] PCI: Lock down BAR access when module security is @@ -18,7 +18,7 @@ Signed-off-by: Matthew Garrett 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index eead54c..bb59ecd 100644 +index 95d9e7b..0e249f1 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -30,6 +30,7 @@ @@ -29,7 +29,7 @@ index eead54c..bb59ecd 100644 #include "pci.h" static int sysfs_initialized; /* = 0 */ -@@ -713,6 +714,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, +@@ -711,6 +712,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj, loff_t init_off = off; u8 *data = (u8 *) buf; @@ -39,7 +39,7 @@ index eead54c..bb59ecd 100644 if (off > dev->cfg_size) return 0; if (off + count > dev->cfg_size) { -@@ -1007,6 +1011,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, +@@ -998,6 +1002,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, resource_size_t start, end; int i; @@ -49,7 +49,7 @@ index eead54c..bb59ecd 100644 for (i = 0; i < PCI_ROM_RESOURCE; i++) if (res == &pdev->resource[i]) break; -@@ -1108,6 +1115,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, +@@ -1098,6 +1105,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj, struct bin_attribute *attr, char *buf, loff_t off, size_t count) { @@ -114,5 +114,5 @@ index b91c4da..98f5637 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch similarity index 95% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch index 0694bff73f..2f53a8aee8 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -1,4 +1,4 @@ -From 2277563f06778502ded6abe65d843f2b60b3ce03 Mon Sep 17 00:00:00 2001 +From b6df0aa8a4a37a61c84eaa81d7e5ceef59e2aa59 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:35:59 -0500 Subject: [PATCH 03/21] x86: Lock down IO port access when module security is @@ -46,7 +46,7 @@ index 37dae79..1ecc03c 100644 } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 6b1721f..53fe675 100644 +index 4f6f94c..9d53d66 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -27,6 +27,7 @@ @@ -68,5 +68,5 @@ index 6b1721f..53fe675 100644 return -EFAULT; while (count-- > 0 && i < 65536) { -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0004-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0004-ACPI-Limit-access-to-custom_method.patch similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0004-ACPI-Limit-access-to-custom_method.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0004-ACPI-Limit-access-to-custom_method.patch index 11ebfc8999..60af4fb9e0 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0004-ACPI-Limit-access-to-custom_method.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0004-ACPI-Limit-access-to-custom_method.patch @@ -1,4 +1,4 @@ -From b033a8984baef5309907d1bda6323063522a9e26 Mon Sep 17 00:00:00 2001 +From 23fd87347efce05c7500210e38c4e557d2314b65 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:39:37 -0500 Subject: [PATCH 04/21] ACPI: Limit access to custom_method @@ -27,5 +27,5 @@ index c68e724..4277938 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch similarity index 82% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch index 7893da78c6..990409d446 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch @@ -1,4 +1,4 @@ -From 0ead62ff1092f98ebba09c35a7877fa7cb8b84aa Mon Sep 17 00:00:00 2001 +From cb9a6384b9fb18f33bdf2717df93aba01e32b17d Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:46:50 -0500 Subject: [PATCH 05/21] asus-wmi: Restrict debugfs interface when module @@ -16,10 +16,10 @@ Signed-off-by: Matthew Garrett 1 file changed, 9 insertions(+) diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index f96f7b8..01af903 100644 +index a96630d..92bf6b1 100644 --- a/drivers/platform/x86/asus-wmi.c +++ b/drivers/platform/x86/asus-wmi.c -@@ -1870,6 +1870,9 @@ static int show_dsts(struct seq_file *m, void *data) +@@ -1867,6 +1867,9 @@ static int show_dsts(struct seq_file *m, void *data) int err; u32 retval = -1; @@ -29,7 +29,7 @@ index f96f7b8..01af903 100644 err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); if (err < 0) -@@ -1886,6 +1889,9 @@ static int show_devs(struct seq_file *m, void *data) +@@ -1883,6 +1886,9 @@ static int show_devs(struct seq_file *m, void *data) int err; u32 retval = -1; @@ -39,7 +39,7 @@ index f96f7b8..01af903 100644 err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, &retval); -@@ -1910,6 +1916,9 @@ static int show_call(struct seq_file *m, void *data) +@@ -1907,6 +1913,9 @@ static int show_call(struct seq_file *m, void *data) union acpi_object *obj; acpi_status status; @@ -50,5 +50,5 @@ index f96f7b8..01af903 100644 1, asus->debug.method_id, &input, &output); -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch similarity index 92% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch index 878a108e51..5aec2da86c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -1,4 +1,4 @@ -From 78754044710d2afc46b910b3de24775ae6fdf0c5 Mon Sep 17 00:00:00 2001 +From eecc59493292b4fc199cee082b88f2deec02018d Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 09:28:15 -0500 Subject: [PATCH 06/21] Restrict /dev/mem and /dev/kmem when module loading is @@ -14,7 +14,7 @@ Signed-off-by: Matthew Garrett 1 file changed, 6 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 53fe675..b52c888 100644 +index 9d53d66..918f43a 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -167,6 +167,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, @@ -38,5 +38,5 @@ index 53fe675..b52c888 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch index 4cb34f34f4..11851d67f3 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch @@ -1,4 +1,4 @@ -From c874298a9a0bf7d9041d6462c0225d17ad6e478d Mon Sep 17 00:00:00 2001 +From e2d101b00ccfba464fd82db710dcae260c17fc1d Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 25 Jun 2012 19:57:30 -0400 Subject: [PATCH 07/21] acpi: Ignore acpi_rsdp kernel parameter when module @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 32d684a..f8570a0 100644 +index 67da6fb..e027761 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -40,6 +40,7 @@ @@ -25,7 +25,7 @@ index 32d684a..f8570a0 100644 #include #include -@@ -252,7 +253,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); +@@ -254,7 +255,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); acpi_physical_address __init acpi_os_get_root_pointer(void) { #ifdef CONFIG_KEXEC @@ -35,5 +35,5 @@ index 32d684a..f8570a0 100644 #endif -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch index ac06594025..5d8917755f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -1,4 +1,4 @@ -From 4b0506ea0496f3fc847cdd7a6ef2966867d08f05 Mon Sep 17 00:00:00 2001 +From cebac394600acad86fac15fbafc01693ab6fdd5c Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 19 Nov 2015 18:55:53 -0800 Subject: [PATCH 08/21] kexec: Disable at runtime if the kernel enforces module @@ -14,7 +14,7 @@ Signed-off-by: Matthew Garrett 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/kexec.c b/kernel/kexec.c -index d873b64..3d09642 100644 +index ee70aef..755198b 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -17,6 +17,7 @@ @@ -35,5 +35,5 @@ index d873b64..3d09642 100644 /* -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch similarity index 79% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch index f5e7a8b2f4..bf77c2ae55 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch @@ -1,4 +1,4 @@ -From 5fe1e81ed7603157e00c8e333754225f5dcf8557 Mon Sep 17 00:00:00 2001 +From fe362fcdfb3eda249a88790c4d6003a551c586cd Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 8 Feb 2013 11:12:13 -0800 Subject: [PATCH 09/21] x86: Restrict MSR access when module loading is @@ -15,10 +15,10 @@ Signed-off-by: Matthew Garrett 1 file changed, 7 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index 113e707..26c2f83 100644 +index 64f9616..7fde015 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c -@@ -105,6 +105,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, +@@ -83,6 +83,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, int err = 0; ssize_t bytes = 0; @@ -28,7 +28,7 @@ index 113e707..26c2f83 100644 if (count % 8) return -EINVAL; /* Invalid chunk size */ -@@ -152,6 +155,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) +@@ -130,6 +133,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) err = -EBADF; break; } @@ -40,5 +40,5 @@ index 113e707..26c2f83 100644 err = -EFAULT; break; -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0010-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0010-Add-option-to-automatically-enforce-module-signature.patch similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0010-Add-option-to-automatically-enforce-module-signature.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0010-Add-option-to-automatically-enforce-module-signature.patch index 8b5c26aed3..3b8d4c3a03 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0010-Add-option-to-automatically-enforce-module-signature.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0010-Add-option-to-automatically-enforce-module-signature.patch @@ -1,4 +1,4 @@ -From 1a1dd3d6e85dc69e8eb5991dedf2c4030fb10366 Mon Sep 17 00:00:00 2001 +From 323216a1694f4d402ce89432d75b7d2756417b68 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 18:36:30 -0400 Subject: [PATCH 10/21] Add option to automatically enforce module signatures @@ -34,10 +34,10 @@ index 95a4d34..b8527c6 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index db3622f..5578b6e 100644 +index c46662f..a10f771 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1720,6 +1720,16 @@ config EFI_MIXED +@@ -1754,6 +1754,16 @@ config EFI_MIXED If unsure, say N. @@ -130,10 +130,10 @@ index 3292543..b61f853 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index d2bbe34..a35c42f 100644 +index d3d80e6..94eb7dd 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1143,6 +1143,12 @@ void __init setup_arch(char **cmdline_p) +@@ -1145,6 +1145,12 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); @@ -147,7 +147,7 @@ index d2bbe34..a35c42f 100644 * Parse the ACPI tables for possible boot-time SMP configuration. */ diff --git a/include/linux/module.h b/include/linux/module.h -index db38634..4b8df91 100644 +index ab13009..e072b84 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); @@ -164,10 +164,10 @@ index db38634..4b8df91 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index 88bd7ec..e5117b67 100644 +index 7dfb91b..6eb3c6c 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4102,6 +4102,13 @@ void module_layout(struct module *mod, +@@ -4113,6 +4113,13 @@ void module_layout(struct module *mod, EXPORT_SYMBOL(module_layout); #endif @@ -182,5 +182,5 @@ index 88bd7ec..e5117b67 100644 { #ifdef CONFIG_MODULE_SIG -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch similarity index 84% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch index a0d6ba2568..970e7a8cab 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch @@ -1,4 +1,4 @@ -From 47adb92861b5ed64dfb451c87df65e3190c84559 Mon Sep 17 00:00:00 2001 +From dbfa35d390791ae9c39f043fe0209c4fc4b1ec7b Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:28:43 -0400 Subject: [PATCH 11/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI @@ -12,10 +12,10 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 5578b6e..da9ae8a 100644 +index a10f771..36a2818 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1721,7 +1721,8 @@ config EFI_MIXED +@@ -1755,7 +1755,8 @@ config EFI_MIXED If unsure, say N. config EFI_SECURE_BOOT_SIG_ENFORCE @@ -26,5 +26,5 @@ index 5578b6e..da9ae8a 100644 ---help--- UEFI Secure Boot provides a mechanism for ensuring that the -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0012-efi-Add-EFI_SECURE_BOOT-bit.patch similarity index 86% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0012-efi-Add-EFI_SECURE_BOOT-bit.patch index 3d3eafa0f5..3043473146 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0012-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,4 +1,4 @@ -From f65b02e6559706984f60260fd7b56e62230c4a18 Mon Sep 17 00:00:00 2001 +From f8c98a5d526a3627cad4dd5b6cc81bf12f862326 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:33:03 -0400 Subject: [PATCH 12/21] efi: Add EFI_SECURE_BOOT bit @@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index a35c42f..e96398f 100644 +index 94eb7dd..7c9fc347 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1145,7 +1145,9 @@ void __init setup_arch(char **cmdline_p) +@@ -1147,7 +1147,9 @@ void __init setup_arch(char **cmdline_p) #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE if (boot_params.secure_boot) { @@ -27,7 +27,7 @@ index a35c42f..e96398f 100644 #endif diff --git a/include/linux/efi.h b/include/linux/efi.h -index 569b5a8..4dc970e 100644 +index 47be3ad..9bf95e8 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -980,6 +980,7 @@ extern int __init efi_setup_pcdp_console(char *); @@ -39,5 +39,5 @@ index 569b5a8..4dc970e 100644 #ifdef CONFIG_EFI /* -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0013-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0013-hibernate-Disable-in-a-signed-modules-environment.patch similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0013-hibernate-Disable-in-a-signed-modules-environment.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0013-hibernate-Disable-in-a-signed-modules-environment.patch index 563be5b067..895e1d90bc 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0013-hibernate-Disable-in-a-signed-modules-environment.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0013-hibernate-Disable-in-a-signed-modules-environment.patch @@ -1,4 +1,4 @@ -From 6c9baf862507876196ad55c98604cc75fa4c1b3d Mon Sep 17 00:00:00 2001 +From 5cb706dfbad58dfee5ee54346d47d1cb588219c3 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 20 Jun 2014 08:53:24 -0400 Subject: [PATCH 13/21] hibernate: Disable in a signed modules environment @@ -35,5 +35,5 @@ index b7342a2..8a6b218 100644 /** -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch similarity index 86% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch index 001435be5f..f8fb3ef686 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch @@ -1,4 +1,4 @@ -From 2302270e90b6a78ce6a0de8ec5fa18072875b01d Mon Sep 17 00:00:00 2001 +From 7aa0a80475c2c565a5128d85c148af92560c8fa3 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:31 +0100 Subject: [PATCH 14/21] Security: Provide copy-up security hooks for unioned @@ -21,7 +21,7 @@ Signed-off-by: David Howells 3 files changed, 54 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h -index ec3a6ba..8c0c524 100644 +index 71969de..f5b7267 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -401,6 +401,24 @@ @@ -49,17 +49,17 @@ index ec3a6ba..8c0c524 100644 * * Security hooks for file operations * -@@ -1421,6 +1439,9 @@ union security_list_options { +@@ -1425,6 +1443,9 @@ union security_list_options { int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); - void (*inode_getsecid)(const struct inode *inode, u32 *secid); + void (*inode_getsecid)(struct inode *inode, u32 *secid); + int (*inode_copy_up) (struct dentry *src, struct dentry *dst); + int (*inode_copy_up_xattr) (struct dentry *src, struct dentry *dst, + const char *name, void *value, size_t *size); int (*file_permission)(struct file *file, int mask); int (*file_alloc_security)(struct file *file); -@@ -1689,6 +1710,8 @@ struct security_hook_heads { +@@ -1694,6 +1715,8 @@ struct security_hook_heads { struct list_head inode_setsecurity; struct list_head inode_listsecurity; struct list_head inode_getsecid; @@ -69,13 +69,13 @@ index ec3a6ba..8c0c524 100644 struct list_head file_alloc_security; struct list_head file_free_security; diff --git a/include/linux/security.h b/include/linux/security.h -index 2f4c1f7..ec21144 100644 +index 4824a4c..1f9ea40 100644 --- a/include/linux/security.h +++ b/include/linux/security.h -@@ -274,6 +274,10 @@ int security_inode_getsecurity(const struct inode *inode, const char *name, void +@@ -274,6 +274,10 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); - void security_inode_getsecid(const struct inode *inode, u32 *secid); + void security_inode_getsecid(struct inode *inode, u32 *secid); +int security_inode_copy_up(struct dentry *src, struct dentry *dst); +int security_inode_copy_up_xattr(struct dentry *src, struct dentry *dst, + const char *name, void *value, size_t *size); @@ -83,7 +83,7 @@ index 2f4c1f7..ec21144 100644 int security_file_permission(struct file *file, int mask); int security_file_alloc(struct file *file); void security_file_free(struct file *file); -@@ -739,6 +743,16 @@ static inline void security_inode_getsecid(const struct inode *inode, u32 *secid +@@ -740,6 +744,16 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid) *secid = 0; } @@ -101,10 +101,10 @@ index 2f4c1f7..ec21144 100644 { return 0; diff --git a/security/security.c b/security/security.c -index 46f405c..e33c5d5 100644 +index e8ffd92..f1a1dbf 100644 --- a/security/security.c +++ b/security/security.c -@@ -726,6 +726,19 @@ void security_inode_getsecid(const struct inode *inode, u32 *secid) +@@ -726,6 +726,19 @@ void security_inode_getsecid(struct inode *inode, u32 *secid) call_void_hook(inode_getsecid, inode, secid); } @@ -124,7 +124,7 @@ index 46f405c..e33c5d5 100644 int security_file_permission(struct file *file, int mask) { int ret; -@@ -1654,6 +1667,10 @@ struct security_hook_heads security_hook_heads = { +@@ -1660,6 +1673,10 @@ struct security_hook_heads security_hook_heads = { LIST_HEAD_INIT(security_hook_heads.inode_listsecurity), .inode_getsecid = LIST_HEAD_INIT(security_hook_heads.inode_getsecid), @@ -136,5 +136,5 @@ index 46f405c..e33c5d5 100644 LIST_HEAD_INIT(security_hook_heads.file_permission), .file_alloc_security = -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0015-Overlayfs-Use-copy-up-security-hooks.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0015-Overlayfs-Use-copy-up-security-hooks.patch similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0015-Overlayfs-Use-copy-up-security-hooks.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0015-Overlayfs-Use-copy-up-security-hooks.patch index 1855eedb6f..926b17c8a7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0015-Overlayfs-Use-copy-up-security-hooks.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0015-Overlayfs-Use-copy-up-security-hooks.patch @@ -1,4 +1,4 @@ -From b8b4027d3d1666411c8f323236fe8c8c3a454137 Mon Sep 17 00:00:00 2001 +From 72e28365e6ab54a078af74a958ed25ad85228b31 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:31 +0100 Subject: [PATCH 15/21] Overlayfs: Use copy-up security hooks @@ -13,7 +13,7 @@ Signed-off-by: David Howells 1 file changed, 12 insertions(+) diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c -index eff6319..e153e17 100644 +index d894e7c..fa6610a 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -70,6 +70,14 @@ retry: @@ -23,7 +23,7 @@ index eff6319..e153e17 100644 + error = security_inode_copy_up_xattr(old, new, + name, value, &size); + if (error < 0) -+ break; ++ goto out_free_value; + if (error == 1) { + error = 0; + continue; /* Discard */ @@ -43,5 +43,5 @@ index eff6319..e153e17 100644 struct path upperpath; ovl_path_upper(dentry, &upperpath); -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0016-SELinux-Stub-in-copy-up-handling.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0016-SELinux-Stub-in-copy-up-handling.patch similarity index 87% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0016-SELinux-Stub-in-copy-up-handling.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0016-SELinux-Stub-in-copy-up-handling.patch index 345a113e39..1b896993a1 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0016-SELinux-Stub-in-copy-up-handling.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0016-SELinux-Stub-in-copy-up-handling.patch @@ -1,4 +1,4 @@ -From 98e460005ad53f5c92fc070a177bcb2f5daa8d7d Mon Sep 17 00:00:00 2001 +From 7640e15f1c2473e7d698e5f66aa7290f4f1b5fcd Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:32 +0100 Subject: [PATCH 16/21] SELinux: Stub in copy-up handling @@ -13,10 +13,10 @@ Signed-off-by: David Howells 1 file changed, 20 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index d0cfaa9..d062209 100644 +index f1ab715..d361b74 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c -@@ -3188,6 +3188,24 @@ static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) +@@ -3253,6 +3253,24 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid) *secid = isec->sid; } @@ -41,7 +41,7 @@ index d0cfaa9..d062209 100644 /* file security operations */ static int selinux_revalidate_file_permission(struct file *file, int mask) -@@ -5919,6 +5937,8 @@ static struct security_hook_list selinux_hooks[] = { +@@ -5996,6 +6014,8 @@ static struct security_hook_list selinux_hooks[] = { LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), @@ -51,5 +51,5 @@ index d0cfaa9..d062209 100644 LSM_HOOK_INIT(file_permission, selinux_file_permission), LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0017-SELinux-Handle-opening-of-a-unioned-file.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0017-SELinux-Handle-opening-of-a-unioned-file.patch similarity index 92% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0017-SELinux-Handle-opening-of-a-unioned-file.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0017-SELinux-Handle-opening-of-a-unioned-file.patch index 92d65ac2db..4e2f09b62d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0017-SELinux-Handle-opening-of-a-unioned-file.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0017-SELinux-Handle-opening-of-a-unioned-file.patch @@ -1,4 +1,4 @@ -From 3bdeb87a02c98c290c46aad2d16b1a70a28ee19e Mon Sep 17 00:00:00 2001 +From dfaa3503791924a8ffebbed60073f5f8715093a3 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:32 +0100 Subject: [PATCH 17/21] SELinux: Handle opening of a unioned file @@ -26,10 +26,10 @@ Signed-off-by: David Howells 2 files changed, 70 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index d062209..5f0a11f 100644 +index d361b74..7186928 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c -@@ -3518,10 +3518,72 @@ static int selinux_file_receive(struct file *file) +@@ -3584,10 +3584,72 @@ static int selinux_file_receive(struct file *file) return file_has_perm(cred, file, file_to_av(file)); } @@ -101,8 +101,8 @@ index d062209..5f0a11f 100644 + int rc; fsec = file->f_security; - isec = file_inode(file)->i_security; -@@ -3542,6 +3604,13 @@ static int selinux_file_open(struct file *file, const struct cred *cred) + isec = inode_security(file_inode(file)); +@@ -3608,6 +3670,13 @@ static int selinux_file_open(struct file *file, const struct cred *cred) * new inode label or new policy. * This check is not redundant - do not remove. */ @@ -117,10 +117,10 @@ index d062209..5f0a11f 100644 } diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h -index 81fa718..f088c08 100644 +index a2ae054..54cce84 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h -@@ -54,6 +54,7 @@ struct file_security_struct { +@@ -60,6 +60,7 @@ struct file_security_struct { u32 sid; /* SID of open file description */ u32 fown_sid; /* SID of file owner (for SIGIO) */ u32 isid; /* SID of inode at the time of file open */ @@ -129,5 +129,5 @@ index 81fa718..f088c08 100644 }; -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0018-SELinux-Check-against-union-label-for-file-operation.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0018-SELinux-Check-against-union-label-for-file-operation.patch similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0018-SELinux-Check-against-union-label-for-file-operation.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0018-SELinux-Check-against-union-label-for-file-operation.patch index 105bebcdc4..ff0bf98a66 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0018-SELinux-Check-against-union-label-for-file-operation.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0018-SELinux-Check-against-union-label-for-file-operation.patch @@ -1,4 +1,4 @@ -From 19c9589933e63e418736e12aeff9d4f5b08054e7 Mon Sep 17 00:00:00 2001 +From 52ad0951b6bfb8f10f57d6c26dca14925c772539 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:32 +0100 Subject: [PATCH 18/21] SELinux: Check against union label for file operations @@ -16,10 +16,10 @@ Signed-off-by: David Howells 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 5f0a11f..e33019e 100644 +index 7186928..a44cca7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c -@@ -1682,6 +1682,7 @@ static int file_has_perm(const struct cred *cred, +@@ -1745,6 +1745,7 @@ static int file_has_perm(const struct cred *cred, struct file *file, u32 av) { @@ -27,7 +27,7 @@ index 5f0a11f..e33019e 100644 struct file_security_struct *fsec = file->f_security; struct inode *inode = file_inode(file); struct common_audit_data ad; -@@ -1702,8 +1703,15 @@ static int file_has_perm(const struct cred *cred, +@@ -1765,8 +1766,15 @@ static int file_has_perm(const struct cred *cred, /* av is zero if only checking access to the descriptor. */ rc = 0; @@ -46,5 +46,5 @@ index 5f0a11f..e33019e 100644 out: return rc; -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch new file mode 100644 index 0000000000..3e01d6d4fd --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch @@ -0,0 +1,41 @@ +From 6f36c5dba801f60119a75e20dd9df5369f005144 Mon Sep 17 00:00:00 2001 +From: Vito Caputo +Date: Mon, 19 Oct 2015 17:53:12 -0700 +Subject: [PATCH 19/21] overlayfs: use a minimal buffer in ovl_copy_xattr + +Rather than always allocating the high-order XATTR_SIZE_MAX buffer +which is costly and prone to failure, only allocate what is needed and +realloc if necessary. + +Fixes https://github.com/coreos/bugs/issues/489 +--- + fs/overlayfs/copy_up.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c +index fa6610a..78c1aa3 100644 +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -70,6 +70,19 @@ retry: + value_size = size; + goto retry; + } ++ ++ if (size > value_size) { ++ void *new; ++ new = krealloc(value, size, GFP_KERNEL); ++ if (!new) { ++ error = -ENOMEM; ++ goto out_free_value; ++ } ++ value = new; ++ value_size = size; ++ goto retry; ++ } ++ + error = security_inode_copy_up_xattr(old, new, + name, value, &size); + if (error < 0) +-- +2.7.3 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch similarity index 84% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch index f2ae46b9cf..4b45c50f42 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch @@ -1,7 +1,7 @@ -From 274bc65fa0a1185d50b45fe84a8647af63cdb6ee Mon Sep 17 00:00:00 2001 +From 446a9480ed10cff1f2657b94d21f4b40edaf0140 Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Wed, 25 Nov 2015 02:59:45 -0800 -Subject: [PATCH 19/21] kbuild: derive relative path for KBUILD_SRC from CURDIR +Subject: [PATCH 20/21] kbuild: derive relative path for KBUILD_SRC from CURDIR This enables relocating source and build trees to different roots, provided they stay reachable relative to one another. Useful for @@ -12,7 +12,7 @@ by some undesirable path component. 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 802be10..2d2f994 100644 +index 7b3ecdc..7d950e4 100644 --- a/Makefile +++ b/Makefile @@ -143,7 +143,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make @@ -26,5 +26,5 @@ index 802be10..2d2f994 100644 # Leave processing to above invocation of make -- -2.4.6 +2.7.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch similarity index 82% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch index 2a02e393fa..fb7d1762a2 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch @@ -1,7 +1,7 @@ -From 18b8e9f92afd62598d454e68138dda551ce7d381 Mon Sep 17 00:00:00 2001 +From b9136a24769ff9012e96ca4936108ffc5995916e Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Dec 2015 07:43:52 +0000 -Subject: [PATCH 20/21] Don't verify write permissions on lower inodes on +Subject: [PATCH 21/21] Don't verify write permissions on lower inodes on overlayfs If a user opens a file r/w on overlayfs, and if the underlying inode is @@ -19,10 +19,10 @@ the selinux permissions check if that flag is set. 3 files changed, 13 insertions(+) diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c -index b29036a..545b856 100644 +index a4ff5d0..6ba3443 100644 --- a/fs/overlayfs/inode.c +++ b/fs/overlayfs/inode.c -@@ -138,6 +138,9 @@ int ovl_permission(struct inode *inode, int mask) +@@ -163,6 +163,9 @@ int ovl_permission(struct inode *inode, int mask) goto out_dput; } @@ -33,10 +33,10 @@ index b29036a..545b856 100644 out_dput: dput(alias); diff --git a/include/linux/fs.h b/include/linux/fs.h -index 3aa5142..5712013 100644 +index ae68100..fb6e94b 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h -@@ -82,6 +82,7 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate); +@@ -83,6 +83,7 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate); #define MAY_CHDIR 0x00000040 /* called from RCU mode, don't block */ #define MAY_NOT_BLOCK 0x00000080 @@ -45,10 +45,10 @@ index 3aa5142..5712013 100644 /* * flags in file.f_mode. Note that FMODE_READ and FMODE_WRITE must correspond diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index e33019e..48746ee 100644 +index a44cca7..f5ca93c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c -@@ -2904,6 +2904,15 @@ static int selinux_inode_permission(struct inode *inode, int mask) +@@ -2967,6 +2967,15 @@ static int selinux_inode_permission(struct inode *inode, int mask) u32 audited, denied; from_access = mask & MAY_ACCESS; @@ -65,5 +65,5 @@ index e33019e..48746ee 100644 /* No permission to check. Existence test. */ -- -2.4.6 +2.7.3