From 6484c291fae757925eba00bc4b73acb568de066a Mon Sep 17 00:00:00 2001 From: Jenkins OS Date: Sat, 14 Oct 2017 17:07:14 +0000 Subject: [PATCH] sys-kernel/coreos-sources: bump to 4.13.7 --- ...3.6.ebuild => coreos-kernel-4.13.7.ebuild} | 0 ....6.ebuild => coreos-modules-4.13.7.ebuild} | 0 .../sys-kernel/coreos-sources/Manifest | 2 +- ....6.ebuild => coreos-sources-4.13.7.ebuild} | 1 - .../z0001-efi-Add-EFI_SECURE_BOOT-bit.patch | 4 +- ...to-lock-down-access-to-the-running-k.patch | 4 +- ...e-kernel-if-booted-in-secure-boot-mo.patch | 4 +- ...ignatures-if-the-kernel-is-locked-do.patch | 4 +- ...-and-dev-kmem-when-the-kernel-is-loc.patch | 4 +- ...-runtime-if-the-kernel-is-locked-dow.patch | 4 +- ...-flag-in-boot-params-across-kexec-re.patch | 4 +- ...le-at-runtime-if-securelevel-has-bee.patch | 4 +- ...sable-when-the-kernel-is-locked-down.patch | 4 +- ...sable-when-the-kernel-is-locked-down.patch | 4 +- ...R-access-when-the-kernel-is-locked-d.patch | 4 +- ...-port-access-when-the-kernel-is-lock.patch | 4 +- ...-access-when-the-kernel-is-locked-do.patch | 4 +- ...t-debugfs-interface-when-the-kernel-.patch | 4 +- ...s-to-custom_method-when-the-kernel-i.patch | 4 +- ..._rsdp-kernel-param-when-the-kernel-h.patch | 4 +- ...I-table-override-if-the-kernel-is-lo.patch | 4 +- ...I-error-injection-if-the-kernel-is-l.patch | 4 +- ...nel-image-access-functions-when-the-.patch | 4 +- ...z0020-scsi-Lock-down-the-eata-driver.patch | 4 +- ...CIS-storage-when-the-kernel-is-locke.patch | 4 +- .../4.13/z0022-Lock-down-TIOCSSERIAL.patch | 4 +- ...lative-path-for-KBUILD_SRC-from-CURD.patch | 6 +-- .../z0024-Add-arm64-coreos-verity-hash.patch | 4 +- ...-waitid-Add-missing-access_ok-checks.patch | 43 ------------------- 29 files changed, 50 insertions(+), 94 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.13.6.ebuild => coreos-kernel-4.13.7.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-4.13.6.ebuild => coreos-modules-4.13.7.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-4.13.6.ebuild => coreos-sources-4.13.7.ebuild} (97%) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-waitid-Add-missing-access_ok-checks.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.7.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.6.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.7.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.7.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.6.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.7.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index 3d8afc7ce9..1804e5ff2c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ DIST linux-4.13.tar.xz 100579888 SHA256 2db3d6066c3ad93eb25b973a3d2951e022a7e975ee2fa7cbe5bddf84d9a49a2c SHA512 a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2 WHIRLPOOL d3d332e02cd3c5056c76c28cf1f81504c6f7b8f2caed7238e7dd7866747fb03154b88d8d7aec4d0eddf5760624bc7d6c5485fb52a3e32d098a2742eba96c0d05 -DIST patch-4.13.6.xz 165096 SHA256 12d897b7f547c7d03a81be690b3dc0e0e5b9becfbd63e3dbf9f7258db861ddfb SHA512 40e111f3969b622f982bfb75f8c35aa59d9989a627a4511d8e0090b0c7bbcafcc90567434f5166ef2d17831f0beddb52762107e523414523e1877f67f66ca3f7 WHIRLPOOL 84ffb5f228a46d5551de04e8dcb8fda2ed72b40f0306198c909036610f58f6d5e6299d71bcd08e235f3c34fbfffb5d6dae805aaaa2dbef220ae94ef844a6890b +DIST patch-4.13.7.xz 165784 SHA256 0fe89c96e956efbded576214eef0c8e43cabe41dfca245e3ebb79fff9bc8715d SHA512 4d96c655ca4c720b872e1a88ba9989a419880cb5fec2a4a9190077588066f205c5dce2591a76f26375f6f50001334ceb7631d489d3b24ca443d10e1e6879ed54 WHIRLPOOL fb192f3acb9d3a249a2ecaf6b7d6c6eca0ac684c17c01226ed1ca69f5aafefa782aeb80000bfae5753672e2d8bb93b07377e8d1c0ca66b5dbdb1332d77ae38a9 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.7.ebuild similarity index 97% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.6.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.7.ebuild index c13c3dfb99..abab10dc9f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.6.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.7.ebuild @@ -55,5 +55,4 @@ UNIPATCH_LIST=" ${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \ ${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ ${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \ - ${PATCH_DIR}/z0025-waitid-Add-missing-access_ok-checks.patch \ " diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch index e6a5019f6d..bb9f3d2dc5 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,7 +1,7 @@ -From 0ca587d266c2a08314e7e5026f4db17b2587aaae Mon Sep 17 00:00:00 2001 +From e03ef102d0cabd798b0784330e5c063e406ba69f Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 21 Nov 2016 23:55:55 +0000 -Subject: [PATCH 01/25] efi: Add EFI_SECURE_BOOT bit +Subject: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit that can be passed to efi_enabled() to find out whether secure boot is diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch index b6e0216d9c..88065bd9ef 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch @@ -1,7 +1,7 @@ -From 9488dfe7dd6c558cbf39b358b6e26c58ec728f79 Mon Sep 17 00:00:00 2001 +From 36cf82213ee6353307254117689a7ed8bd0b390c Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 21 Nov 2016 23:36:17 +0000 -Subject: [PATCH 02/25] Add the ability to lock down access to the running +Subject: [PATCH 02/24] Add the ability to lock down access to the running kernel image Provide a single call to allow kernel code to determine whether the system diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch index 3f791221f6..b9103cd832 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch @@ -1,7 +1,7 @@ -From d2ad9ef2777a166bf439681a6e1feb9bed15ba77 Mon Sep 17 00:00:00 2001 +From 41c69b650459b3c6493af84133a97f85218218ec Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 21 Nov 2016 23:55:55 +0000 -Subject: [PATCH 03/25] efi: Lock down the kernel if booted in secure boot mode +Subject: [PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch index 53bfeaf9bc..470ca31c57 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch @@ -1,7 +1,7 @@ -From 1f144b1dcd97473d15e939518257f05df63f25de Mon Sep 17 00:00:00 2001 +From 21703e9af75dd9c17303e3e7e8ccc54dc409fd5f Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 23 Nov 2016 13:22:22 +0000 -Subject: [PATCH 04/25] Enforce module signatures if the kernel is locked down +Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down If the kernel is locked down, require that all modules have valid signatures that we can verify. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch index 6034d3110e..1d11fe408c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch @@ -1,7 +1,7 @@ -From ec132d88b99550cf6bd04d4b38a660e350c93648 Mon Sep 17 00:00:00 2001 +From adfa60bbc2f70b8e3af62ff2119cf335e1097a11 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 05/25] Restrict /dev/mem and /dev/kmem when the kernel is +Subject: [PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is locked down Allowing users to write to address space makes it possible for the kernel to diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch index a2b06b948f..2e3b7403c2 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch @@ -1,7 +1,7 @@ -From 569b20893b215e18e6bd7ac866a6e768c3d6fd8d Mon Sep 17 00:00:00 2001 +From 46a1082586962eb5b323de33038f83f3cb099f14 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 06/25] kexec: Disable at runtime if the kernel is locked down +Subject: [PATCH 06/24] kexec: Disable at runtime if the kernel is locked down kexec permits the loading and execution of arbitrary code in ring 0, which is something that lock-down is meant to prevent. It makes sense to disable diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch index 132da3378c..a3810d65e3 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch @@ -1,7 +1,7 @@ -From ab96910a663a80ec3f8121ca6d6606678a2af6a7 Mon Sep 17 00:00:00 2001 +From b79bed540e03d94c967726ed154adaaa9a853959 Mon Sep 17 00:00:00 2001 From: Dave Young Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 07/25] Copy secure_boot flag in boot params across kexec +Subject: [PATCH 07/24] Copy secure_boot flag in boot params across kexec reboot Kexec reboot in case secure boot being enabled does not keep the secure diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch index bf55bfd6e6..f8f8f42576 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch @@ -1,7 +1,7 @@ -From e81bd7b2b8cf468648817b1495d11ea12cc17b61 Mon Sep 17 00:00:00 2001 +From 507952ee036f02987f83d4b7385be9b5dfa34d7c Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Wed, 23 Nov 2016 13:49:19 +0000 -Subject: [PATCH 08/25] kexec_file: Disable at runtime if securelevel has been +Subject: [PATCH 08/24] kexec_file: Disable at runtime if securelevel has been set When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch index 0ace9c9c95..e35239061b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch @@ -1,7 +1,7 @@ -From b104d0504ff5cd4f2bc55dfe50c7c7758016b50b Mon Sep 17 00:00:00 2001 +From 5c5ad91fce7da054aa83761f72601e1d56a28660 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 09/25] hibernate: Disable when the kernel is locked down +Subject: [PATCH 09/24] hibernate: Disable when the kernel is locked down There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch index ad84a0c16f..76005803f7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch @@ -1,7 +1,7 @@ -From f2d13ff04ffccd9da300c704c47e4df944f88167 Mon Sep 17 00:00:00 2001 +From ca6b230412ab3e8546149b597cf44b767bb827c4 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Wed, 23 Nov 2016 13:28:17 +0000 -Subject: [PATCH 10/25] uswsusp: Disable when the kernel is locked down +Subject: [PATCH 10/24] uswsusp: Disable when the kernel is locked down uswsusp allows a user process to dump and then restore kernel state, which makes it possible to modify the running kernel. Disable this if the kernel diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch index 7ebb4290d9..e8adc53f46 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch @@ -1,7 +1,7 @@ -From e3efec13deba479e22e02b51222868fb1ffdfb17 Mon Sep 17 00:00:00 2001 +From 431e44d46f884a411cefa7c4120d26fe738e018a Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:15 +0000 -Subject: [PATCH 11/25] PCI: Lock down BAR access when the kernel is locked +Subject: [PATCH 11/24] PCI: Lock down BAR access when the kernel is locked down Any hardware that can potentially generate DMA has to be locked down in diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch index e982dcf8df..284424e4be 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch @@ -1,7 +1,7 @@ -From 8cf28062fa8fe09449f2a08fc653f8b67eeb6b23 Mon Sep 17 00:00:00 2001 +From 438b2fa68262a24e41e928a066a91c3b8cc732ea Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 12/25] x86: Lock down IO port access when the kernel is locked +Subject: [PATCH 12/24] x86: Lock down IO port access when the kernel is locked down IO port access would permit users to gain access to PCI configuration diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch index d0731d6e35..111a6e31a7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch @@ -1,7 +1,7 @@ -From aceb992e68395597c9e158db6fac1104cc8481bd Mon Sep 17 00:00:00 2001 +From 9e25efe48f3ebba5f8ae29edbac3bdd686a2e29c Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:17 +0000 -Subject: [PATCH 13/25] x86: Restrict MSR access when the kernel is locked down +Subject: [PATCH 13/24] x86: Restrict MSR access when the kernel is locked down Writing to MSRs should not be allowed if the kernel is locked down, since it could lead to execution of arbitrary code in kernel mode. Based on a diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch index 881f15beef..6d87390fad 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch @@ -1,7 +1,7 @@ -From cbf465826c9e7a903640c77abd259df18ca98525 Mon Sep 17 00:00:00 2001 +From 3711ab05c1fa894323f6ba6cf8d6ed941b71e6dd Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 14/25] asus-wmi: Restrict debugfs interface when the kernel is +Subject: [PATCH 14/24] asus-wmi: Restrict debugfs interface when the kernel is locked down We have no way of validating what all of the Asus WMI methods do on a given diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch index d3755b45fe..f1e1e2f819 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch @@ -1,7 +1,7 @@ -From 66efb15a02ff6e631461b419b6534fbf065baa4a Mon Sep 17 00:00:00 2001 +From 9270c8dd98aac0c126bd4de8b043f7b640538158 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 15/25] ACPI: Limit access to custom_method when the kernel is +Subject: [PATCH 15/24] ACPI: Limit access to custom_method when the kernel is locked down custom_method effectively allows arbitrary access to system memory, making diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch index a80bee65c2..0d53bc50b7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch @@ -1,7 +1,7 @@ -From ff8247261c2e520d2d86c9b1c49d6a3add0f787e Mon Sep 17 00:00:00 2001 +From 32938322a86727368913c229e651f2bc9ea232ca Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 22 Nov 2016 08:46:16 +0000 -Subject: [PATCH 16/25] acpi: Ignore acpi_rsdp kernel param when the kernel has +Subject: [PATCH 16/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down This option allows userspace to pass the RSDP address to the kernel, which diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch index 81fc451d16..4be16bae0e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch @@ -1,7 +1,7 @@ -From 0e0436f160dc5e72da06475f47cf0f3d3eb825c2 Mon Sep 17 00:00:00 2001 +From d5daa6edc6e51072dc797b81051360b478fb5265 Mon Sep 17 00:00:00 2001 From: Linn Crosetto Date: Wed, 23 Nov 2016 13:32:27 +0000 -Subject: [PATCH 17/25] acpi: Disable ACPI table override if the kernel is +Subject: [PATCH 17/24] acpi: Disable ACPI table override if the kernel is locked down From the kernel documentation (initrd_table_override.txt): diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch index 8648ed5b11..7bcd10e868 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch @@ -1,7 +1,7 @@ -From 76da8791076ba432067fe7d079ca49e0c9db7bf4 Mon Sep 17 00:00:00 2001 +From 1489fcf49abbef75b55b57b0ccbedf6fe04540c7 Mon Sep 17 00:00:00 2001 From: Linn Crosetto Date: Wed, 23 Nov 2016 13:39:41 +0000 -Subject: [PATCH 18/25] acpi: Disable APEI error injection if the kernel is +Subject: [PATCH 18/24] acpi: Disable APEI error injection if the kernel is locked down ACPI provides an error injection mechanism, EINJ, for debugging and testing diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch index 62a4db76e2..f6b1378d7f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch @@ -1,7 +1,7 @@ -From 48cf308a15eb59f0ab3d7f1ca07633888008dd83 Mon Sep 17 00:00:00 2001 +From d0108763f62a685f8be631809b0930ada06e11d5 Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Wed, 23 Nov 2016 13:52:16 +0000 -Subject: [PATCH 19/25] bpf: Restrict kernel image access functions when the +Subject: [PATCH 19/24] bpf: Restrict kernel image access functions when the kernel is locked down There are some bpf functions can be used to read kernel memory: diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch index 29f690ee74..3c1fa9a272 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch @@ -1,7 +1,7 @@ -From f65f1cb103ada3d4df63e90259b8087218211385 Mon Sep 17 00:00:00 2001 +From d7ddac19599ea83cdd96fa49b5c63cacd5a48246 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 22 Nov 2016 10:10:34 +0000 -Subject: [PATCH 20/25] scsi: Lock down the eata driver +Subject: [PATCH 20/24] scsi: Lock down the eata driver When the kernel is running in secure boot mode, we lock down the kernel to prevent userspace from modifying the running kernel image. Whilst this diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch index 337f899f9d..5bd718f74e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch @@ -1,7 +1,7 @@ -From 7dbf7ac8f7767b2553126a6a4d99ef5d089b7ac2 Mon Sep 17 00:00:00 2001 +From 756c195d5ae03785c244ab97f69882a1e505a878 Mon Sep 17 00:00:00 2001 From: David Howells Date: Fri, 25 Nov 2016 14:37:45 +0000 -Subject: [PATCH 21/25] Prohibit PCMCIA CIS storage when the kernel is locked +Subject: [PATCH 21/24] Prohibit PCMCIA CIS storage when the kernel is locked down Prohibit replacement of the PCMCIA Card Information Structure when the diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch index 0013992be0..6887daa5ac 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch @@ -1,7 +1,7 @@ -From d2242c4df8c05d84c7d598603b04733da930bcd3 Mon Sep 17 00:00:00 2001 +From 156c8ff989e16ed6ba8b87455f09397a09e06c63 Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 7 Dec 2016 10:28:39 +0000 -Subject: [PATCH 22/25] Lock down TIOCSSERIAL +Subject: [PATCH 22/24] Lock down TIOCSSERIAL Lock down TIOCSSERIAL as that can be used to change the ioport and irq settings on a serial port. This only appears to be an issue for the serial diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch index 7aaca7bc60..e7a1de32ba 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch @@ -1,7 +1,7 @@ -From 8239e8a3c6a9679b4b84c60e7914fe2cb6cd9f29 Mon Sep 17 00:00:00 2001 +From 1a7f0516d79117e7e8fdf5fd4ad98cd8e33abf21 Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Wed, 25 Nov 2015 02:59:45 -0800 -Subject: [PATCH 23/25] kbuild: derive relative path for KBUILD_SRC from CURDIR +Subject: [PATCH 23/24] kbuild: derive relative path for KBUILD_SRC from CURDIR This enables relocating source and build trees to different roots, provided they stay reachable relative to one another. Useful for @@ -12,7 +12,7 @@ by some undesirable path component. 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 9e1af1af327b..cff814738d5e 100644 +index 0d4f1b19869d..11ab2b77f732 100644 --- a/Makefile +++ b/Makefile @@ -142,7 +142,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch index 29906b7eda..d06acf23a5 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch @@ -1,7 +1,7 @@ -From 569a5db0554a7e94aa37775be1d171b5814f03f1 Mon Sep 17 00:00:00 2001 +From 2c1a9a33846f068c75958b33bbba00a76862223a Mon Sep 17 00:00:00 2001 From: Geoff Levand Date: Fri, 11 Nov 2016 17:28:52 -0800 -Subject: [PATCH 24/25] Add arm64 coreos verity hash +Subject: [PATCH 24/24] Add arm64 coreos verity hash Signed-off-by: Geoff Levand --- diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-waitid-Add-missing-access_ok-checks.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-waitid-Add-missing-access_ok-checks.patch deleted file mode 100644 index 7e2af55497..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-waitid-Add-missing-access_ok-checks.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 4e6fc257193a1d56eedc55e040d6e5c158cdaceb Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Mon, 9 Oct 2017 11:36:52 -0700 -Subject: [PATCH 25/25] waitid(): Add missing access_ok() checks - -Adds missing access_ok() checks. - -CVE-2017-5123 - -Reported-by: Chris Salls -Fixes: 4c48abe91be0 ("waitid(): switch copyout of siginfo to unsafe_put_user()") -Signed-off-by: Kees Cook ---- - kernel/exit.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/kernel/exit.c b/kernel/exit.c -index 6d31fc5ba50d..135b36985f8a 100644 ---- a/kernel/exit.c -+++ b/kernel/exit.c -@@ -1611,6 +1611,9 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *, - if (!infop) - return err; - -+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop))) -+ goto Efault; -+ - user_access_begin(); - unsafe_put_user(signo, &infop->si_signo, Efault); - unsafe_put_user(0, &infop->si_errno, Efault); -@@ -1736,6 +1739,9 @@ COMPAT_SYSCALL_DEFINE5(waitid, - if (!infop) - return err; - -+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop))) -+ goto Efault; -+ - user_access_begin(); - unsafe_put_user(signo, &infop->si_signo, Efault); - unsafe_put_user(0, &infop->si_errno, Efault); --- -2.14.1 -