Merge pull request #2808 from euank/ovl-regression

sys-kernel/coreos-*: add overlay ebusy fix

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.03.2-r1.ebuild

@@ -12,7 +12,7 @@ if [[ ${PV} == *9999 ]]; then
 	DOCKER_GITCOMMIT="unknown"
 	KEYWORDS="~amd64 ~arm64"
 else
-	CROS_WORKON_COMMIT="a662a4c026af44b573f6f7851ae467d8e86f2162" # coreos-17.03.2-ce
+	CROS_WORKON_COMMIT="236043027bc7199ec691f98c49bb2f0ec6a316d5" # coreos-17.03.2-ce
 	DOCKER_GITCOMMIT="${CROS_WORKON_COMMIT:0:7}"
 	KEYWORDS="amd64 arm64"
 fi

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild

@@ -74,9 +74,7 @@ RESTRICT="installsources strip"
 
 S="${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}"
 
-ENGINE_PATCHES=(
+ENGINE_PATCHES=()
-	"${FILESDIR}/patches/engine/revert-make-overlay-home-dir-private.patch"
-)
 
 # see "contrib/check-config.sh" from upstream's sources
 CONFIG_CHECK="
@@ -212,7 +210,7 @@ src_unpack() {
 		DOCKER_GITCOMMIT=$(git -C "${S}" rev-parse HEAD | head -c 7)
 		DOCKER_BUILD_DATE=$(git -C "${S}" log -1 --format="%ct")
 	fi
-	eapply -d"${S}"/components/engine "${ENGINE_PATCHES[@]}"
+	[ "${#ENGINE_PATCHES[@]}" -gt 0 ] && eapply -d"${S}"/components/engine "${ENGINE_PATCHES[@]}"
 }
 
 src_compile() {

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/patches/engine/revert-make-overlay-home-dir-private.patch

@@ -1,111 +0,0 @@
-From 699fab4877c3ff5d7f935bd3977e413c31269c7c Mon Sep 17 00:00:00 2001
-From: Euan Kemp <euan.kemp@coreos.com>
-Date: Fri, 22 Sep 2017 12:01:04 -0700
-Subject: [PATCH] Revert "Make overlay home dir Private mount"
-
-This reverts commit e076bccb458aeadab9380ce0636456ad6317a85f.
-It also reverts it for the overlay2 package, which didn't exist at the
-time the commit was made but is a direct successor with copy-pasted
-code.
-
-The original commit was meant to fix a bug whereby `docker cp`
-(implemented via chrootarchive) could inadvertantly lead to shared
-mounts getting unmounted on the host too.
-
-The fix, however, had side effects. It results in overlay mounts being
-private, and thus being quite easy to leak copies that are hard to
-umount into other mount namespaces on the box.
-
-This hasn't been noticed until now because on kernels prior to v4.13,
-temporarily leaking overlayfs mounts to other namespaces didn't have any
-ill effects.
-
-Starting with v4.13, setting the mount to private and thus leaking
-mounts results in errors. See https://github.com/moby/moby/issues/34672
-
-The correct fix for the original issue was implemented later in
-https://github.com/moby/moby/pull/27609, and since that code is now
-merged we can safely throw away this less ideal fix.
-
-Signed-off-by: Euan Kemp <euan.kemp@coreos.com>
----
- daemon/graphdriver/overlay/overlay.go  | 12 +++---------
- daemon/graphdriver/overlay2/overlay.go | 12 +++---------
- 2 files changed, 6 insertions(+), 18 deletions(-)
-
-diff --git a/daemon/graphdriver/overlay/overlay.go b/daemon/graphdriver/overlay/overlay.go
-index 9012722c20d..8ed51e6c384 100644
---- a/daemon/graphdriver/overlay/overlay.go
-+++ b/daemon/graphdriver/overlay/overlay.go
-@@ -19,7 +19,6 @@ import (
- 	"github.com/docker/docker/pkg/fsutils"
- 	"github.com/docker/docker/pkg/idtools"
- 	"github.com/docker/docker/pkg/locker"
--	"github.com/docker/docker/pkg/mount"
- 	"github.com/docker/docker/pkg/system"
- 	"github.com/opencontainers/selinux/go-selinux/label"
- 	"github.com/sirupsen/logrus"
-@@ -139,10 +138,6 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
- 		return nil, err
- 	}
- 
--	if err := mount.MakePrivate(home); err != nil {
--		return nil, err
--	}
--
- 	supportsDType, err := fsutils.SupportsDType(home)
- 	if err != nil {
- 		return nil, err
-@@ -227,11 +222,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) {
- 	return metadata, nil
- }
- 
--// Cleanup any state created by overlay which should be cleaned when daemon
--// is being shutdown. For now, we just have to unmount the bind mounted
--// we had created.
-+// Cleanup simply returns nil and do not change the existing filesystem.
-+// This is required to satisfy the graphdriver.Driver interface.
- func (d *Driver) Cleanup() error {
--	return mount.Unmount(d.home)
-+	return nil
- }
- 
- // CreateReadWrite creates a layer that is writable for use as a container
-diff --git a/daemon/graphdriver/overlay2/overlay.go b/daemon/graphdriver/overlay2/overlay.go
-index f350ca9c0b8..5aaf8c0cefe 100644
---- a/daemon/graphdriver/overlay2/overlay.go
-+++ b/daemon/graphdriver/overlay2/overlay.go
-@@ -28,7 +28,6 @@ import (
- 	"github.com/docker/docker/pkg/fsutils"
- 	"github.com/docker/docker/pkg/idtools"
- 	"github.com/docker/docker/pkg/locker"
--	"github.com/docker/docker/pkg/mount"
- 	"github.com/docker/docker/pkg/parsers"
- 	"github.com/docker/docker/pkg/parsers/kernel"
- 	"github.com/docker/docker/pkg/system"
-@@ -175,10 +174,6 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
- 		return nil, err
- 	}
- 
--	if err := mount.MakePrivate(home); err != nil {
--		return nil, err
--	}
--
- 	supportsDType, err := fsutils.SupportsDType(home)
- 	if err != nil {
- 		return nil, err
-@@ -314,11 +309,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) {
- 	return metadata, nil
- }
- 
--// Cleanup any state created by overlay which should be cleaned when daemon
--// is being shutdown. For now, we just have to unmount the bind mounted
--// we had created.
-+// Cleanup simply returns nil and do not change the existing filesystem.
-+// This is required to satisfy the graphdriver.Driver interface.
- func (d *Driver) Cleanup() error {
--	return mount.Unmount(d.home)
-+	return nil
- }
- 
- // CreateReadWrite creates a layer that is writable for use as a container

sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.03.ebuild

@@ -11,7 +11,7 @@ KEYWORDS="amd64 arm64"
 
 # Explicitly list all packages that will be built into the image.
 RDEPEND="
-	=app-emulation/docker-17.03.2
+	=app-emulation/docker-17.03.2-r1
 	=app-emulation/containerd-0.2.6
 	=app-emulation/docker-proxy-0.8.0_p20161019
 	=app-emulation/docker-runc-1.0.0_rc2_p136

sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.09.ebuild

@@ -11,7 +11,7 @@ KEYWORDS="amd64 arm64"
 
 # Explicitly list all packages that will be built into the image.
 RDEPEND="
-	=app-emulation/docker-17.09.0
+	=app-emulation/docker-17.09.0-r1
 	=app-emulation/containerd-0.2.9_p27
 	=app-emulation/docker-proxy-0.8.0_p20170917
 	=app-emulation/docker-runc-1.0.0_rc4_p25

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.13.5-r1.ebuild

@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION=""
+COREOS_SOURCE_REVISION="-r1"
 inherit coreos-kernel
 
 DESCRIPTION="CoreOS Linux kernel"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.13.5-r1.ebuild

@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION=""
+COREOS_SOURCE_REVISION="-r1"
 inherit coreos-kernel savedconfig
 
 DESCRIPTION="CoreOS Linux kernel modules"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.13.5-r1.ebuild

@@ -55,4 +55,5 @@ UNIPATCH_LIST="
 	${PATCH_DIR}/z0022-Lock-down-TIOCSSERIAL.patch \
 	${PATCH_DIR}/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
 	${PATCH_DIR}/z0024-Add-arm64-coreos-verity-hash.patch \
+	${PATCH_DIR}/z0025-ovl-fix-regression-caused-by-exclusive-upper-work-di.patch \
 "

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch

@@ -1,7 +1,7 @@
 From f1837934545ec345d6509fe6b70d5a8e7fb48c06 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Mon, 21 Nov 2016 23:55:55 +0000
-Subject: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 01/25] efi: Add EFI_SECURE_BOOT bit
 
 UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
 that can be passed to efi_enabled() to find out whether secure boot is
@@ -42,5 +42,5 @@ index 8269bcb8ccf7..7952dd3ffa73 100644
  #ifdef CONFIG_EFI
  /*
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch

@@ -1,7 +1,7 @@
 From 07584ac35f055643fbb7d3db977edb1667761cdd Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Mon, 21 Nov 2016 23:36:17 +0000
-Subject: [PATCH 02/24] Add the ability to lock down access to the running
+Subject: [PATCH 02/25] Add the ability to lock down access to the running
  kernel image
 
 Provide a single call to allow kernel code to determine whether the system
@@ -145,5 +145,5 @@ index 000000000000..5788c60ff4e1
 +}
 +EXPORT_SYMBOL(kernel_is_locked_down);
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch

@@ -1,7 +1,7 @@
 From 50ee015df6059aafabbde1ca24cc93ed9a5d4dec Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Mon, 21 Nov 2016 23:55:55 +0000
-Subject: [PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode
+Subject: [PATCH 03/25] efi: Lock down the kernel if booted in secure boot mode
 
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will
 only load signed bootloaders and kernels.  Certain use cases may also
@@ -65,5 +65,5 @@ index 319995f58345..d0128aef43ce 100644
  		default:
  			pr_info("Secure boot could not be determined\n");
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch

@@ -1,7 +1,7 @@
 From 76bf27c180ae82174aa7429c24c815b7d69f4580 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 23 Nov 2016 13:22:22 +0000
-Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down
+Subject: [PATCH 04/25] Enforce module signatures if the kernel is locked down
 
 If the kernel is locked down, require that all modules have valid
 signatures that we can verify.
@@ -25,5 +25,5 @@ index 40f983cbea81..e5b878b26906 100644
  
  	return err;
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch

@@ -1,7 +1,7 @@
 From 9062089abfaf7e47d6f734d84c27c1cbea3c04c6 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is
+Subject: [PATCH 05/25] Restrict /dev/mem and /dev/kmem when the kernel is
  locked down
 
 Allowing users to write to address space makes it possible for the kernel to
@@ -39,5 +39,5 @@ index 593a8818aca9..ba68add9677f 100644
  		unsigned long to_write = min_t(unsigned long, count,
  					       (unsigned long)high_memory - p);
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch

@@ -1,7 +1,7 @@
 From a4a18f7a7c9f4dc853d1ed84e100bfad45ca768d Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 06/24] kexec: Disable at runtime if the kernel is locked down
+Subject: [PATCH 06/25] kexec: Disable at runtime if the kernel is locked down
 
 kexec permits the loading and execution of arbitrary code in ring 0, which
 is something that lock-down is meant to prevent. It makes sense to disable
@@ -20,20 +20,20 @@ diff --git a/kernel/kexec.c b/kernel/kexec.c
 index e62ec4dc6620..37f75d0b75de 100644
 --- a/kernel/kexec.c
 +++ b/kernel/kexec.c
-@@ -201,6 +201,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
+@@ -202,6 +202,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
- 	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
  		return -EPERM;
  
-+	/*
+ 	/*
 +	 * kexec can be used to circumvent module loading restrictions, so
 +	 * prevent loading in that case
 +	 */
 +	if (kernel_is_locked_down())
 +		return -EPERM;
 +
- 	/*
++	/*
  	 * Verify we have a legal set of flags
  	 * This leaves us room for future extensions.
+ 	 */
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch

@@ -1,7 +1,7 @@
 From d3aa49c4e2c3fc2db64a67802d2d1ca7682f3e43 Mon Sep 17 00:00:00 2001
 From: Dave Young <dyoung@redhat.com>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 07/24] Copy secure_boot flag in boot params across kexec
+Subject: [PATCH 07/25] Copy secure_boot flag in boot params across kexec
  reboot
 
 Kexec reboot in case secure boot being enabled does not keep the secure
@@ -34,5 +34,5 @@ index fb095ba0c02f..7d0fac5bcbbe 100644
  	ei->efi_systab = current_ei->efi_systab;
  	ei->efi_systab_hi = current_ei->efi_systab_hi;
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch

@@ -1,7 +1,7 @@
 From 4f56499f69dd3492dcd4ec80bf0d39882384fedb Mon Sep 17 00:00:00 2001
 From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
 Date: Wed, 23 Nov 2016 13:49:19 +0000
-Subject: [PATCH 08/24] kexec_file: Disable at runtime if securelevel has been
+Subject: [PATCH 08/25] kexec_file: Disable at runtime if securelevel has been
  set
 
 When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
@@ -35,5 +35,5 @@ index 9f48f4412297..7da87007c202 100644
  	if (flags != (flags & KEXEC_FILE_FLAGS))
  		return -EINVAL;
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch

@@ -1,7 +1,7 @@
 From 73206c208c0fd2658938c75f8b2c223d64f926ac Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 09/24] hibernate: Disable when the kernel is locked down
+Subject: [PATCH 09/25] hibernate: Disable when the kernel is locked down
 
 There is currently no way to verify the resume image when returning
 from hibernate.  This might compromise the signed modules trust model,
@@ -28,5 +28,5 @@ index e1914c7b85b1..7859ba79e181 100644
  
  /**
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch

@@ -1,7 +1,7 @@
 From d575c18b93c029bd3042e5719af1e3536f13f90c Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@srcf.ucam.org>
 Date: Wed, 23 Nov 2016 13:28:17 +0000
-Subject: [PATCH 10/24] uswsusp: Disable when the kernel is locked down
+Subject: [PATCH 10/25] uswsusp: Disable when the kernel is locked down
 
 uswsusp allows a user process to dump and then restore kernel state, which
 makes it possible to modify the running kernel.  Disable this if the kernel
@@ -28,5 +28,5 @@ index 22df9f7ff672..e4b926d329b7 100644
  
  	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch

@@ -1,7 +1,7 @@
 From 16ad18e196811749d4d5f737e4ca0482326be131 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:15 +0000
-Subject: [PATCH 11/24] PCI: Lock down BAR access when the kernel is locked
+Subject: [PATCH 11/25] PCI: Lock down BAR access when the kernel is locked
  down
 
 Any hardware that can potentially generate DMA has to be locked down in
@@ -99,5 +99,5 @@ index 9bf993e1f71e..c09524738ceb 100644
  
  	dev = pci_get_bus_and_slot(bus, dfn);
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch

@@ -1,7 +1,7 @@
 From ad9d4a91032b313727714cbb57aa8ddfb8d80dfc Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 12/24] x86: Lock down IO port access when the kernel is locked
+Subject: [PATCH 12/25] x86: Lock down IO port access when the kernel is locked
  down
 
 IO port access would permit users to gain access to PCI configuration
@@ -55,5 +55,5 @@ index ba68add9677f..5e2a260fb89f 100644
  }
  
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch

@@ -1,7 +1,7 @@
 From f1e625e306e90405acff33c68a6285a20877de59 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:17 +0000
-Subject: [PATCH 13/24] x86: Restrict MSR access when the kernel is locked down
+Subject: [PATCH 13/25] x86: Restrict MSR access when the kernel is locked down
 
 Writing to MSRs should not be allowed if the kernel is locked down, since
 it could lead to execution of arbitrary code in kernel mode.  Based on a
@@ -40,5 +40,5 @@ index ef688804f80d..fbcce028e502 100644
  			err = -EFAULT;
  			break;
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch

@@ -1,7 +1,7 @@
 From b94b97961964b34fa834a5a49a381ba5c40d1136 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 14/24] asus-wmi: Restrict debugfs interface when the kernel is
+Subject: [PATCH 14/25] asus-wmi: Restrict debugfs interface when the kernel is
  locked down
 
 We have no way of validating what all of the Asus WMI methods do on a given
@@ -51,5 +51,5 @@ index 709e3a67391a..2d8db47698b2 100644
  				     1, asus->debug.method_id,
  				     &input, &output);
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch

@@ -1,7 +1,7 @@
 From 3c68d0f079679bbd37603e30a28fda1a51f2052d Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 15/24] ACPI: Limit access to custom_method when the kernel is
+Subject: [PATCH 15/25] ACPI: Limit access to custom_method when the kernel is
  locked down
 
 custom_method effectively allows arbitrary access to system memory, making
@@ -29,5 +29,5 @@ index c68e72414a67..e4d721c330c0 100644
  		/* parse the table header to get the table length */
  		if (count <= sizeof(struct acpi_table_header))
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch

@@ -1,7 +1,7 @@
 From b422de393e6d978f5067cee5170c449dc4277f20 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Tue, 22 Nov 2016 08:46:16 +0000
-Subject: [PATCH 16/24] acpi: Ignore acpi_rsdp kernel param when the kernel has
+Subject: [PATCH 16/25] acpi: Ignore acpi_rsdp kernel param when the kernel has
  been locked down
 
 This option allows userspace to pass the RSDP address to the kernel, which
@@ -28,5 +28,5 @@ index db78d353bab1..d4d4ba348451 100644
  #endif
  
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch

@@ -1,7 +1,7 @@
 From 26bcf43365c06c2ca9e3386b202c52988525d70d Mon Sep 17 00:00:00 2001
 From: Linn Crosetto <linn@hpe.com>
 Date: Wed, 23 Nov 2016 13:32:27 +0000
-Subject: [PATCH 17/24] acpi: Disable ACPI table override if the kernel is
+Subject: [PATCH 17/25] acpi: Disable ACPI table override if the kernel is
  locked down
 
 From the kernel documentation (initrd_table_override.txt):
@@ -37,5 +37,5 @@ index ff425390bfa8..c72bfa97888a 100644
  		memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
  				       all_tables_size, PAGE_SIZE);
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch

@@ -1,7 +1,7 @@
 From 0b2d6eaf44fe27ffc3f266d60acd785054c9251a Mon Sep 17 00:00:00 2001
 From: Linn Crosetto <linn@hpe.com>
 Date: Wed, 23 Nov 2016 13:39:41 +0000
-Subject: [PATCH 18/24] acpi: Disable APEI error injection if the kernel is
+Subject: [PATCH 18/25] acpi: Disable APEI error injection if the kernel is
  locked down
 
 ACPI provides an error injection mechanism, EINJ, for debugging and testing
@@ -40,5 +40,5 @@ index ec50c32ea3da..e082718d01c2 100644
  	if (flags && (flags &
  		~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch

@@ -1,7 +1,7 @@
 From c03a14e840c12755863e0bb0fc3dc466cdcab734 Mon Sep 17 00:00:00 2001
 From: "Lee, Chun-Yi" <jlee@suse.com>
 Date: Wed, 23 Nov 2016 13:52:16 +0000
-Subject: [PATCH 19/24] bpf: Restrict kernel image access functions when the
+Subject: [PATCH 19/25] bpf: Restrict kernel image access functions when the
  kernel is locked down
 
 There are some bpf functions can be used to read kernel memory:
@@ -53,5 +53,5 @@ index dc498b605d5d..fb240222b89b 100644
  	for (i = 0; i < fmt_size; i++) {
  		if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i]))
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0020-scsi-Lock-down-the-eata-driver.patch

@@ -1,7 +1,7 @@
 From 87d86828a5c23d79d182fe08fc311980a49bb314 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 22 Nov 2016 10:10:34 +0000
-Subject: [PATCH 20/24] scsi: Lock down the eata driver
+Subject: [PATCH 20/25] scsi: Lock down the eata driver
 
 When the kernel is running in secure boot mode, we lock down the kernel to
 prevent userspace from modifying the running kernel image.  Whilst this
@@ -43,5 +43,5 @@ index 227dd2c2ec2f..5c036d10c18b 100644
  #if defined(MODULE)
  	/* io_port could have been modified when loading as a module */
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch

@@ -1,7 +1,7 @@
 From 5674808941b241db1a075ecf6392cd2f5f963c7b Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Fri, 25 Nov 2016 14:37:45 +0000
-Subject: [PATCH 21/24] Prohibit PCMCIA CIS storage when the kernel is locked
+Subject: [PATCH 21/25] Prohibit PCMCIA CIS storage when the kernel is locked
  down
 
 Prohibit replacement of the PCMCIA Card Information Structure when the
@@ -29,5 +29,5 @@ index 55ef7d1fd8da..193e4f7b73b1 100644
  
  	if (off)
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0022-Lock-down-TIOCSSERIAL.patch

@@ -1,7 +1,7 @@
 From c9f901215cc9798206af8934f3e3396e812bfd36 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 7 Dec 2016 10:28:39 +0000
-Subject: [PATCH 22/24] Lock down TIOCSSERIAL
+Subject: [PATCH 22/25] Lock down TIOCSSERIAL
 
 Lock down TIOCSSERIAL as that can be used to change the ioport and irq
 settings on a serial port.  This only appears to be an issue for the serial
@@ -32,5 +32,5 @@ index f534a40aebde..e32c0179f423 100644
  		retval = -EPERM;
  		if (change_irq || change_port ||
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch

@@ -1,7 +1,7 @@
 From 7a7e247d55502efe910eef98322fa706aa8b7ad8 Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 23/24] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 23/25] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
@@ -26,5 +26,5 @@ index 189f1a748e4c..c44e17ddc9e1 100644
  
  # Leave processing to above invocation of make
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0024-Add-arm64-coreos-verity-hash.patch

@@ -1,7 +1,7 @@
 From 0038c7fad4882341972286f31a15f8013f97e964 Mon Sep 17 00:00:00 2001
 From: Geoff Levand <geoff@infradead.org>
 Date: Fri, 11 Nov 2016 17:28:52 -0800
-Subject: [PATCH 24/24] Add arm64 coreos verity hash
+Subject: [PATCH 24/25] Add arm64 coreos verity hash
 
 Signed-off-by: Geoff Levand <geoff@infradead.org>
 ---
@@ -25,5 +25,5 @@ index 613fc3000677..fdaf86c78332 100644
  	/*
  	 * The debug table is referenced via its Relative Virtual Address (RVA),
 -- 
-2.14.1
+2.13.6
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.13/z0025-ovl-fix-regression-caused-by-exclusive-upper-work-di.patch

@@ -0,0 +1,148 @@
+From 3dd952f456fda073b3d492a94745f119effba17b Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Fri, 29 Sep 2017 10:21:21 +0300
+Subject: [PATCH 25/25] ovl: fix regression caused by exclusive upper/work dir
+ protection
+
+Enforcing exclusive ownership on upper/work dirs caused a docker
+regression: https://github.com/moby/moby/issues/34672.
+
+Euan spotted the regression and pointed to the offending commit.
+Vivek has brought the regression to my attention and provided this
+reproducer:
+
+Terminal 1:
+
+  mount -t overlay -o workdir=work,lowerdir=lower,upperdir=upper none
+        merged/
+
+Terminal 2:
+
+  unshare -m
+
+Terminal 1:
+
+  umount merged
+  mount -t overlay -o workdir=work,lowerdir=lower,upperdir=upper none
+        merged/
+  mount: /root/overlay-testing/merged: none already mounted or mount point
+         busy
+
+To fix the regression, I replaced the error with an alarming warning.
+With index feature enabled, mount does fail, but logs a suggestion to
+override exclusive dir protection by disabling index.
+Note that index=off mount does take the inuse locks, so a concurrent
+index=off will issue the warning and a concurrent index=on mount will fail.
+
+Documentation was updated to reflect this change.
+
+Fixes: 2cac0c00a6cd ("ovl: get exclusive ownership on upper/work dirs")
+Cc: <stable@vger.kernel.org> # v4.13
+Reported-by: Euan Kemp <euank@euank.com>
+Reported-by: Vivek Goyal <vgoyal@redhat.com>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+---
+ Documentation/filesystems/overlayfs.txt |  5 ++++-
+ fs/overlayfs/ovl_entry.h                |  3 +++
+ fs/overlayfs/super.c                    | 27 +++++++++++++++++++--------
+ 3 files changed, 26 insertions(+), 9 deletions(-)
+
+diff --git a/Documentation/filesystems/overlayfs.txt b/Documentation/filesystems/overlayfs.txt
+index 36f528a7fdd6..8caa60734647 100644
+--- a/Documentation/filesystems/overlayfs.txt
++++ b/Documentation/filesystems/overlayfs.txt
+@@ -210,8 +210,11 @@ path as another overlay mount and it may use a lower layer path that is
+ beneath or above the path of another overlay lower layer path.
+ 
+ Using an upper layer path and/or a workdir path that are already used by
+-another overlay mount is not allowed and will fail with EBUSY.  Using
++another overlay mount is not allowed and may fail with EBUSY.  Using
+ partially overlapping paths is not allowed but will not fail with EBUSY.
++If files are accessed from two overlayfs mounts which share or overlap the
++upper layer and/or workdir path the behavior of the overlay is undefined,
++though it will not result in a crash or deadlock.
+ 
+ Mounting an overlay using an upper layer path, where the upper layer path
+ was previously used by another mounted overlay in combination with a
+diff --git a/fs/overlayfs/ovl_entry.h b/fs/overlayfs/ovl_entry.h
+index 878a750986dd..25d9b5adcd42 100644
+--- a/fs/overlayfs/ovl_entry.h
++++ b/fs/overlayfs/ovl_entry.h
+@@ -37,6 +37,9 @@ struct ovl_fs {
+ 	bool noxattr;
+ 	/* sb common to all layers */
+ 	struct super_block *same_sb;
++	/* Did we take the inuse lock? */
++	bool upperdir_locked;
++	bool workdir_locked;
+ };
+ 
+ /* private information held for every overlayfs dentry */
+diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
+index d86e89f97201..a1464905c1ea 100644
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -210,9 +210,10 @@ static void ovl_put_super(struct super_block *sb)
+ 
+ 	dput(ufs->indexdir);
+ 	dput(ufs->workdir);
+-	ovl_inuse_unlock(ufs->workbasedir);
++	if (ufs->workdir_locked)
++		ovl_inuse_unlock(ufs->workbasedir);
+ 	dput(ufs->workbasedir);
+-	if (ufs->upper_mnt)
++	if (ufs->upper_mnt && ufs->upperdir_locked)
+ 		ovl_inuse_unlock(ufs->upper_mnt->mnt_root);
+ 	mntput(ufs->upper_mnt);
+ 	for (i = 0; i < ufs->numlower; i++)
+@@ -880,9 +881,13 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
+ 			goto out_put_upperpath;
+ 
+ 		err = -EBUSY;
+-		if (!ovl_inuse_trylock(upperpath.dentry)) {
+-			pr_err("overlayfs: upperdir is in-use by another mount\n");
++		if (ovl_inuse_trylock(upperpath.dentry)) {
++			ufs->upperdir_locked = true;
++		} else if (ufs->config.index) {
++			pr_err("overlayfs: upperdir is in-use by another mount, mount with '-o index=off' to override exclusive upperdir protection.\n");
+ 			goto out_put_upperpath;
++		} else {
++			pr_warn("overlayfs: upperdir is in-use by another mount, accessing files from both mounts will result in undefined behavior.\n");
+ 		}
+ 
+ 		err = ovl_mount_dir(ufs->config.workdir, &workpath);
+@@ -900,9 +905,13 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
+ 		}
+ 
+ 		err = -EBUSY;
+-		if (!ovl_inuse_trylock(workpath.dentry)) {
+-			pr_err("overlayfs: workdir is in-use by another mount\n");
++		if (ovl_inuse_trylock(workpath.dentry)) {
++			ufs->workdir_locked = true;
++		} else if (ufs->config.index) {
++			pr_err("overlayfs: workdir is in-use by another mount, mount with '-o index=off' to override exclusive workdir protection.\n");
+ 			goto out_put_workpath;
++		} else {
++			pr_warn("overlayfs: workdir is in-use by another mount, accessing files from both mounts will result in undefined behavior.\n");
+ 		}
+ 
+ 		ufs->workbasedir = workpath.dentry;
+@@ -1155,11 +1164,13 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
+ out_free_lowertmp:
+ 	kfree(lowertmp);
+ out_unlock_workdentry:
+-	ovl_inuse_unlock(workpath.dentry);
++	if (ufs->workdir_locked)
++		ovl_inuse_unlock(workpath.dentry);
+ out_put_workpath:
+ 	path_put(&workpath);
+ out_unlock_upperdentry:
+-	ovl_inuse_unlock(upperpath.dentry);
++	if (ufs->upperdir_locked)
++		ovl_inuse_unlock(upperpath.dentry);
+ out_put_upperpath:
+ 	path_put(&upperpath);
+ out_free_config:
+-- 
+2.13.6
+