mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-24 07:51:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1871 from crawford/kernel

Browse Source 
sys-kernel/coreos-{kernel,sources}: fix build
This commit is contained in:
Alex Crawford 2016-04-05 16:58:07 -07:00
commit 9f0eb45adc
26 changed files with 76 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.5.0.ebuild → sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.5.0-r1.ebuild vendored
View File

@ -2,7 +2,7 @@
# Distributed under the terms of the GNU General Public License v2
EAPI=5
COREOS_SOURCE_REVISION=""
COREOS_SOURCE_REVISION="-r1"
inherit coreos-kernel
DESCRIPTION="CoreOS Linux kernel"

13
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.4 → sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.5 vendored
View File

@ -15,17 +15,16 @@ CONFIG_IKCONFIG=y
CONFIG_IKCONFIG_PROC=y
CONFIG_LOG_BUF_SHIFT=18
CONFIG_NUMA_BALANCING=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CPUSETS=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_MEMCG=y
CONFIG_MEMCG_SWAP=y
CONFIG_MEMCG_KMEM=y
CONFIG_CGROUP_PERF=y
CONFIG_BLK_CGROUP=y
CONFIG_CFS_BANDWIDTH=y
CONFIG_RT_GROUP_SCHED=y
CONFIG_BLK_CGROUP=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CPUSETS=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_CGROUP_PERF=y
CONFIG_CHECKPOINT_RESTORE=y
CONFIG_NAMESPACES=y
CONFIG_USER_NS=y

13
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.4 → sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.5 vendored
View File

@ -14,19 +14,18 @@ CONFIG_TASK_IO_ACCOUNTING=y
CONFIG_IKCONFIG=y
CONFIG_IKCONFIG_PROC=y
CONFIG_LOG_BUF_SHIFT=14
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CPUSETS=y
# CONFIG_PROC_PID_CPUSET is not set
CONFIG_CGROUP_CPUACCT=y
CONFIG_MEMCG=y
CONFIG_MEMCG_SWAP=y
CONFIG_MEMCG_KMEM=y
CONFIG_CGROUP_HUGETLB=y
CONFIG_CGROUP_PERF=y
CONFIG_BLK_CGROUP=y
CONFIG_CFS_BANDWIDTH=y
CONFIG_RT_GROUP_SCHED=y
CONFIG_BLK_CGROUP=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CPUSETS=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_CGROUP_PERF=y
CONFIG_USER_NS=y
CONFIG_SCHED_AUTOGROUP=y
CONFIG_BLK_DEV_INITRD=y

6
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.5.0.ebuild → sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.5.0-r1.ebuild vendored
View File

@ -40,7 +40,7 @@ UNIPATCH_LIST="
${PATCH_DIR}/0016-SELinux-Stub-in-copy-up-handling.patch \
${PATCH_DIR}/0017-SELinux-Handle-opening-of-a-unioned-file.patch \
${PATCH_DIR}/0018-SELinux-Check-against-union-label-for-file-operation.patch \
${PATCH_DIR}/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch \
${PATCH_DIR}/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
${PATCH_DIR}/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \
${PATCH_DIR}/0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
${PATCH_DIR}/0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \
${PATCH_DIR}/0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch \
"

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0001-Add-secure_modules-call.patch vendored
View File

@ -1,4 +1,4 @@
From fcf2db4366ca7c0ca81bfbee603b864b4347cbe5 Mon Sep 17 00:00:00 2001
From 02edef7def11ef45c9dca82382f4d5037b359ce6 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 17:58:15 -0400
Subject: [PATCH 01/21] Add secure_modules() call

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch vendored
View File

@ -1,4 +1,4 @@
From 00d259d880af2beb8e40f54fc391f9bcff74dd8e Mon Sep 17 00:00:00 2001
From 4f9bf3ce823a63e72687fa331bdcfd9050f00b54 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Thu, 8 Mar 2012 10:10:38 -0500
Subject: [PATCH 02/21] PCI: Lock down BAR access when module security is

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch vendored
View File

@ -1,4 +1,4 @@
From b6df0aa8a4a37a61c84eaa81d7e5ceef59e2aa59 Mon Sep 17 00:00:00 2001
From fbcd2f7543b10fb9ff7075eab04aafc8ced67761 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Thu, 8 Mar 2012 10:35:59 -0500
Subject: [PATCH 03/21] x86: Lock down IO port access when module security is

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0004-ACPI-Limit-access-to-custom_method.patch vendored
View File

@ -1,4 +1,4 @@
From 23fd87347efce05c7500210e38c4e557d2314b65 Mon Sep 17 00:00:00 2001
From c84966668b5d607812d3f3788dcfa7fbcab400a3 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 08:39:37 -0500
Subject: [PATCH 04/21] ACPI: Limit access to custom_method

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch vendored
View File

@ -1,4 +1,4 @@
From cb9a6384b9fb18f33bdf2717df93aba01e32b17d Mon Sep 17 00:00:00 2001
From aafea7dbb04999694c5d7514a8ade6dffc80b6a8 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 08:46:50 -0500
Subject: [PATCH 05/21] asus-wmi: Restrict debugfs interface when module

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch vendored
View File

@ -1,4 +1,4 @@
From eecc59493292b4fc199cee082b88f2deec02018d Mon Sep 17 00:00:00 2001
From e1a26d978277b78e5f0f393018cecc2e6f6660ab Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Mar 2012 09:28:15 -0500
Subject: [PATCH 06/21] Restrict /dev/mem and /dev/kmem when module loading is

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch vendored
View File

@ -1,4 +1,4 @@
From e2d101b00ccfba464fd82db710dcae260c17fc1d Mon Sep 17 00:00:00 2001
From 2d464f9da317e687e5fa03b7a079ad811192f491 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Mon, 25 Jun 2012 19:57:30 -0400
Subject: [PATCH 07/21] acpi: Ignore acpi_rsdp kernel parameter when module

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch vendored
View File

@ -1,4 +1,4 @@
From cebac394600acad86fac15fbafc01693ab6fdd5c Mon Sep 17 00:00:00 2001
From e6288d2d10780371525b4fadaabc8c2d5ac87ad8 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Thu, 19 Nov 2015 18:55:53 -0800
Subject: [PATCH 08/21] kexec: Disable at runtime if the kernel enforces module

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch vendored
View File

@ -1,4 +1,4 @@
From fe362fcdfb3eda249a88790c4d6003a551c586cd Mon Sep 17 00:00:00 2001
From 0cf91ec9a013fe36fc934519e02d5ac3a281b907 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 8 Feb 2013 11:12:13 -0800
Subject: [PATCH 09/21] x86: Restrict MSR access when module loading is

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0010-Add-option-to-automatically-enforce-module-signature.patch vendored
View File

@ -1,4 +1,4 @@
From 323216a1694f4d402ce89432d75b7d2756417b68 Mon Sep 17 00:00:00 2001
From 6e0533e9784929c426d8b9b8566f28d7b79aa109 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Fri, 9 Aug 2013 18:36:30 -0400
Subject: [PATCH 10/21] Add option to automatically enforce module signatures

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch vendored
View File

@ -1,4 +1,4 @@
From dbfa35d390791ae9c39f043fe0209c4fc4b1ec7b Mon Sep 17 00:00:00 2001
From 635479012d1f2ecc3109f8d026286ed54e429e89 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 27 Aug 2013 13:28:43 -0400
Subject: [PATCH 11/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0012-efi-Add-EFI_SECURE_BOOT-bit.patch vendored
View File

@ -1,4 +1,4 @@
From f8c98a5d526a3627cad4dd5b6cc81bf12f862326 Mon Sep 17 00:00:00 2001
From a3ac48fab6c056a4857dcb1adea99871d5846cd8 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Tue, 27 Aug 2013 13:33:03 -0400
Subject: [PATCH 12/21] efi: Add EFI_SECURE_BOOT bit

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0013-hibernate-Disable-in-a-signed-modules-environment.patch vendored
View File

@ -1,4 +1,4 @@
From 5cb706dfbad58dfee5ee54346d47d1cb588219c3 Mon Sep 17 00:00:00 2001
From 4483ccc2fb447291aaafe690570437e72b54a396 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 20 Jun 2014 08:53:24 -0400
Subject: [PATCH 13/21] hibernate: Disable in a signed modules environment

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch vendored
View File

@ -1,4 +1,4 @@
From 7aa0a80475c2c565a5128d85c148af92560c8fa3 Mon Sep 17 00:00:00 2001
From 5b5cf4e83fc167101790192e8f6711fb9f879101 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 16 Jun 2015 14:14:31 +0100
Subject: [PATCH 14/21] Security: Provide copy-up security hooks for unioned

6
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0015-Overlayfs-Use-copy-up-security-hooks.patch vendored
View File

@ -1,4 +1,4 @@
From 72e28365e6ab54a078af74a958ed25ad85228b31 Mon Sep 17 00:00:00 2001
From eabd104a61199840d5dfe65a8a6eb353fc112600 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 16 Jun 2015 14:14:31 +0100
Subject: [PATCH 15/21] Overlayfs: Use copy-up security hooks
@ -13,7 +13,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
1 file changed, 12 insertions(+)
diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
index d894e7c..fa6610a 100644
index d894e7c..41ca95d 100644
--- a/fs/overlayfs/copy_up.c
+++ b/fs/overlayfs/copy_up.c
@@ -70,6 +70,14 @@ retry:
@ -23,7 +23,7 @@ index d894e7c..fa6610a 100644
+ error = security_inode_copy_up_xattr(old, new,
+ name, value, &size);
+ if (error < 0)
+ goto out_free_value;
+ break;
+ if (error == 1) {
+ error = 0;
+ continue; /* Discard */

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0016-SELinux-Stub-in-copy-up-handling.patch vendored
View File

@ -1,4 +1,4 @@
From 7640e15f1c2473e7d698e5f66aa7290f4f1b5fcd Mon Sep 17 00:00:00 2001
From 798fc50146e1c819932435bb2e0d92ef180fad81 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 16 Jun 2015 14:14:32 +0100
Subject: [PATCH 16/21] SELinux: Stub in copy-up handling

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0017-SELinux-Handle-opening-of-a-unioned-file.patch vendored
View File

@ -1,4 +1,4 @@
From dfaa3503791924a8ffebbed60073f5f8715093a3 Mon Sep 17 00:00:00 2001
From 7c5c4e06a08f0f397e44bd88e8aff169fa407af6 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 16 Jun 2015 14:14:32 +0100
Subject: [PATCH 17/21] SELinux: Handle opening of a unioned file

2
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0018-SELinux-Check-against-union-label-for-file-operation.patch vendored
View File

@ -1,4 +1,4 @@
From 52ad0951b6bfb8f10f57d6c26dca14925c772539 Mon Sep 17 00:00:00 2001
From 92ca3f0e63d46f131f75f57ef2b6a44bd8acd2ab Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Tue, 16 Jun 2015 14:14:32 +0100
Subject: [PATCH 18/21] SELinux: Check against union label for file operations

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch → sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch vendored
View File

@ -1,7 +1,7 @@
From 446a9480ed10cff1f2657b94d21f4b40edaf0140 Mon Sep 17 00:00:00 2001
From cb9ecb801b14c59df0a34717eb7ff4e5caff44e4 Mon Sep 17 00:00:00 2001
From: Vito Caputo <vito.caputo@coreos.com>
Date: Wed, 25 Nov 2015 02:59:45 -0800
Subject: [PATCH 20/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
Subject: [PATCH 19/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
This enables relocating source and build trees to different roots,
provided they stay reachable relative to one another. Useful for

41
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch vendored
View File

@ -1,41 +0,0 @@
From 6f36c5dba801f60119a75e20dd9df5369f005144 Mon Sep 17 00:00:00 2001
From: Vito Caputo <vito.caputo@coreos.com>
Date: Mon, 19 Oct 2015 17:53:12 -0700
Subject: [PATCH 19/21] overlayfs: use a minimal buffer in ovl_copy_xattr
Rather than always allocating the high-order XATTR_SIZE_MAX buffer
which is costly and prone to failure, only allocate what is needed and
realloc if necessary.
Fixes https://github.com/coreos/bugs/issues/489
---
fs/overlayfs/copy_up.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
index fa6610a..78c1aa3 100644
--- a/fs/overlayfs/copy_up.c
+++ b/fs/overlayfs/copy_up.c
@@ -70,6 +70,19 @@ retry:
value_size = size;
goto retry;
}
+
+ if (size > value_size) {
+ void *new;
+ new = krealloc(value, size, GFP_KERNEL);
+ if (!new) {
+ error = -ENOMEM;
+ goto out_free_value;
+ }
+ value = new;
+ value_size = size;
+ goto retry;
+ }
+
error = security_inode_copy_up_xattr(old, new,
name, value, &size);
if (error < 0)
--
2.7.3

4
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch → sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch vendored
View File

@ -1,7 +1,7 @@
From b9136a24769ff9012e96ca4936108ffc5995916e Mon Sep 17 00:00:00 2001
From a19700db885d083eebff877f9b14e387d824f812 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Tue, 22 Dec 2015 07:43:52 +0000
Subject: [PATCH 21/21] Don't verify write permissions on lower inodes on
Subject: [PATCH 20/21] Don't verify write permissions on lower inodes on
overlayfs
If a user opens a file r/w on overlayfs, and if the underlying inode is

36
sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch vendored Normal file
View File

@ -0,0 +1,36 @@
From 86ecc1a1941cb41b49bc16628d11bb5ef7f2cb43 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Tue, 1 Mar 2016 15:00:15 -0800
Subject: [PATCH 21/21] Fix unallocated memory access in TPM eventlog code
COmmit 0cc698 added support for handling endian fixups in the event log code
but broke the binary log file in the process. Keep the endian code, but read
the event data from the actual event rather than from unallocated RAM.
Signed-off-by: Matthew Garrett <mjg59@coreos.com>
Cc: stable@kernel.org
---
drivers/char/tpm/tpm_eventlog.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c
index bd72fb0..e47092c 100644
--- a/drivers/char/tpm/tpm_eventlog.c
+++ b/drivers/char/tpm/tpm_eventlog.c
@@ -244,7 +244,12 @@ static int tpm_binary_bios_measurements_show(struct seq_file *m, void *v)
tempPtr = (char *)&temp_event;
- for (i = 0; i < sizeof(struct tcpa_event) + temp_event.event_size; i++)
+ for (i = 0; i < sizeof(struct tcpa_event); i++)
+ seq_putc(m, tempPtr[i]);
+
+ tempPtr = (char *)&event->event_data;
+
+ for (i = 0; i < temp_event.event_size; i++)
seq_putc(m, tempPtr[i]);
return 0;
--
2.7.3