From e92d1d8d265d5b9b4231fdfe1e4f95959c2fc36b Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Mon, 22 May 2017 11:06:06 -0700 Subject: [PATCH] sys-kernel/coreos-*: bump to v4.11.2 --- ...-kernel-4.11.0-r1.ebuild => coreos-kernel-4.11.2.ebuild} | 0 ...odules-4.11.0-r1.ebuild => coreos-modules-4.11.2.ebuild} | 0 .../coreos-overlay/sys-kernel/coreos-sources/Manifest | 1 + ...s-sources-4.11.0.ebuild => coreos-sources-4.11.2.ebuild} | 0 .../files/4.11/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch | 4 ++-- ...d-the-ability-to-lock-down-access-to-the-running-k.patch | 4 ++-- ...i-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch | 4 ++-- ...force-module-signatures-if-the-kernel-is-locked-do.patch | 4 ++-- ...strict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch | 4 ++-- ...xec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch | 4 ++-- ...py-secure_boot-flag-in-boot-params-across-kexec-re.patch | 4 ++-- ...xec_file-Disable-at-runtime-if-securelevel-has-bee.patch | 4 ++-- ...9-hibernate-Disable-when-the-kernel-is-locked-down.patch | 4 ++-- ...010-uswsusp-Disable-when-the-kernel-is-locked-down.patch | 4 ++-- ...I-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch | 4 ++-- ...6-Lock-down-IO-port-access-when-the-kernel-is-lock.patch | 4 ++-- ...6-Restrict-MSR-access-when-the-kernel-is-locked-do.patch | 4 ++-- ...us-wmi-Restrict-debugfs-interface-when-the-kernel-.patch | 4 ++-- ...PI-Limit-access-to-custom_method-when-the-kernel-i.patch | 4 ++-- ...pi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch | 4 ++-- ...pi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch | 4 ++-- ...pi-Disable-APEI-error-injection-if-the-kernel-is-l.patch | 4 ++-- ...f-Restrict-kernel-image-access-functions-when-the-.patch | 4 ++-- .../files/4.11/z0020-scsi-Lock-down-the-eata-driver.patch | 4 ++-- ...ohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch | 4 ++-- .../files/4.11/z0022-Lock-down-TIOCSSERIAL.patch | 4 ++-- ...uild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch | 6 +++--- .../files/4.11/z0024-Add-arm64-coreos-verity-hash.patch | 4 ++-- 28 files changed, 50 insertions(+), 49 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.11.0-r1.ebuild => coreos-kernel-4.11.2.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-4.11.0-r1.ebuild => coreos-modules-4.11.2.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-4.11.0.ebuild => coreos-sources-4.11.2.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.11.0-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.11.2.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.11.0-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.11.2.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.11.0-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.11.2.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.11.0-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.11.2.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index 520300bf00..c871053b28 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1 +1,2 @@ DIST linux-4.11.tar.xz 95447768 SHA256 b67ecafd0a42b3383bf4d82f0850cbff92a7e72a215a6d02f42ddbafcf42a7d6 SHA512 6610eed97ffb7207c71771198c36179b8244ace7222bebb109507720e26c5f17d918079a56d5febdd8605844d67fb2df0ebe910fa2f2f53690daf6e2a8ad09c3 WHIRLPOOL f577b7c5c209cb8dfef2f1d56d77314fbd53323743a34b900e2559ab0049b7c2d6262bda136dd3d005bc0527788106e0484e46558448a8720dac389a969e5886 +DIST patch-4.11.2.xz 55484 SHA256 df7138c754c95f2c22127d1d76c122dbfe26b0b586572855d9d095f0d112b29b SHA512 e090598bb339f04a92febe9c03317b76e51f67c2e3bfebaddb97177b19a2c195332477333be29e9f46483ff937fc85fd63fea1bb4ae18dec0fbe5bc1738afbcb WHIRLPOOL 9f5f0dc2d44c3f9a2276a8be74fddba00743869fe05482b3f3f0d1fcbff4b9e70f3d360d4c59dcd63377a3ab623ca6a9661d42dfe10240cb60a550b6d93ac60c diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.11.0.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.11.2.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.11.0.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.11.2.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch index 18c9001d0a..53d5e53d33 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0001-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,4 +1,4 @@ -From 8d2a3c8d17cbc09d163fb636fd06684ed4c287d6 Mon Sep 17 00:00:00 2001 +From 086ca71645952c2622aecdc84c7afc7b3c7a7842 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 21 Nov 2016 23:55:55 +0000 Subject: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit @@ -42,5 +42,5 @@ index 94d34e0..6049600 100644 #ifdef CONFIG_EFI /* -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch index cc95ed5f32..b85662f78c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0002-Add-the-ability-to-lock-down-access-to-the-running-k.patch @@ -1,4 +1,4 @@ -From d23f58628946d89a63b5c31c52ca3eb8569d9480 Mon Sep 17 00:00:00 2001 +From 0cab5cca1b8851aec3e629a9fe09c1ae2731d19c Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 21 Nov 2016 23:36:17 +0000 Subject: [PATCH 02/24] Add the ability to lock down access to the running @@ -145,5 +145,5 @@ index 0000000..5788c60 +} +EXPORT_SYMBOL(kernel_is_locked_down); -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch index a05b8d6121..79d4fb68e1 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mo.patch @@ -1,4 +1,4 @@ -From 60416b718069a800e830593fdfb852abad37862b Mon Sep 17 00:00:00 2001 +From f694ce50f771c473c2da050f23f291ab765d0b9a Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 21 Nov 2016 23:55:55 +0000 Subject: [PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode @@ -65,5 +65,5 @@ index 396285b..85dfa74 100644 default: pr_info("Secure boot could not be determined\n"); -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch index d734e584fe..3dc49a95de 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0004-Enforce-module-signatures-if-the-kernel-is-locked-do.patch @@ -1,4 +1,4 @@ -From 5fb1117bb8bdfa834a1479a250508d87f9c29d9c Mon Sep 17 00:00:00 2001 +From b89e4a8478e4aeead12d569b4201bd49cb3fb5f8 Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 23 Nov 2016 13:22:22 +0000 Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down @@ -25,5 +25,5 @@ index 7eba6de..3331f2e 100644 return err; -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch index 33b1bdb807..4f082fc2be 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0005-Restrict-dev-mem-and-dev-kmem-when-the-kernel-is-loc.patch @@ -1,4 +1,4 @@ -From ec94f3ef19d149bf234a02fbf5733fc90532d903 Mon Sep 17 00:00:00 2001 +From af03b685e00db658c4c403473c8e3eba46f7c4dc Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 Subject: [PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is @@ -39,5 +39,5 @@ index 7e4a9d1..3c305b8 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch index 6c1d8c146f..6028726e1f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0006-kexec-Disable-at-runtime-if-the-kernel-is-locked-dow.patch @@ -1,4 +1,4 @@ -From a2dee11f2125409c99596864ab59bc6240040180 Mon Sep 17 00:00:00 2001 +From 95da10fb45543c8498fcb0519fa0e99e6ae1f4af Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:15 +0000 Subject: [PATCH 06/24] kexec: Disable at runtime if the kernel is locked down @@ -35,5 +35,5 @@ index 980936a..46de8e6 100644 * This leaves us room for future extensions. */ -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch index 33c2e8b716..e7e6356ffb 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0007-Copy-secure_boot-flag-in-boot-params-across-kexec-re.patch @@ -1,4 +1,4 @@ -From ff9bf489aa713b99ef5069e7b87eaa88b3e50838 Mon Sep 17 00:00:00 2001 +From a338b22adf42f34d25a101de80567ae663b7b914 Mon Sep 17 00:00:00 2001 From: Dave Young Date: Tue, 22 Nov 2016 08:46:15 +0000 Subject: [PATCH 07/24] Copy secure_boot flag in boot params across kexec @@ -34,5 +34,5 @@ index d0a814a..3551bca 100644 ei->efi_systab = current_ei->efi_systab; ei->efi_systab_hi = current_ei->efi_systab_hi; -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch index c86b58c9f3..2ea143e5f7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0008-kexec_file-Disable-at-runtime-if-securelevel-has-bee.patch @@ -1,4 +1,4 @@ -From 5702dfdd0be2172bed2fd65d5f09ccf8f91ceef6 Mon Sep 17 00:00:00 2001 +From ecf5af995bebbda0633c8817225344fa4f56899c Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Wed, 23 Nov 2016 13:49:19 +0000 Subject: [PATCH 08/24] kexec_file: Disable at runtime if securelevel has been @@ -35,5 +35,5 @@ index b118735..f6937ee 100644 if (flags != (flags & KEXEC_FILE_FLAGS)) return -EINVAL; -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch index ad1ecebe44..1b2df66230 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0009-hibernate-Disable-when-the-kernel-is-locked-down.patch @@ -1,4 +1,4 @@ -From 83a20b13d75872926dba2d642eff291979edbe2e Mon Sep 17 00:00:00 2001 +From 185450f782f5a775d209e54cf156bdf5a0faa67f Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 22 Nov 2016 08:46:15 +0000 Subject: [PATCH 09/24] hibernate: Disable when the kernel is locked down @@ -28,5 +28,5 @@ index a8b978c..50cca5d 100644 /** -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch index 101b1b007a..6b20bdaca4 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0010-uswsusp-Disable-when-the-kernel-is-locked-down.patch @@ -1,4 +1,4 @@ -From 78782de3728538b3e8fb5a2b23823bc98aa4afe8 Mon Sep 17 00:00:00 2001 +From ec58e483eab1a4a99ee628ecf5657d8672b198e8 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Wed, 23 Nov 2016 13:28:17 +0000 Subject: [PATCH 10/24] uswsusp: Disable when the kernel is locked down @@ -28,5 +28,5 @@ index 22df9f7..e4b926d 100644 if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch index 1ef63218c7..4117951bd7 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0011-PCI-Lock-down-BAR-access-when-the-kernel-is-locked-d.patch @@ -1,4 +1,4 @@ -From 0dfaa6335b722d770fa40ca9e3694fbebb6afcd4 Mon Sep 17 00:00:00 2001 +From 055b28c22c690a666d9388bc30d4efe1d1dbf460 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:15 +0000 Subject: [PATCH 11/24] PCI: Lock down BAR access when the kernel is locked @@ -99,5 +99,5 @@ index 9bf993e..c095247 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch index 8029dc17ae..1c3db1ed98 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0012-x86-Lock-down-IO-port-access-when-the-kernel-is-lock.patch @@ -1,4 +1,4 @@ -From 141aed03a504771f93f996bf93208ffc98cb2757 Mon Sep 17 00:00:00 2001 +From b624041bf4b975b28c45f9a90d8452a0b7a9768a Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 Subject: [PATCH 12/24] x86: Lock down IO port access when the kernel is locked @@ -55,5 +55,5 @@ index 3c305b8..f68976e 100644 } -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch index 6e7e53fd06..3ba133960b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0013-x86-Restrict-MSR-access-when-the-kernel-is-locked-do.patch @@ -1,4 +1,4 @@ -From 692346713c770cdcfddd2b03821658b562f02f70 Mon Sep 17 00:00:00 2001 +From f65a11bbddc0ed0924b8a0e599ad91789a611553 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:17 +0000 Subject: [PATCH 13/24] x86: Restrict MSR access when the kernel is locked down @@ -40,5 +40,5 @@ index ef68880..fbcce02 100644 err = -EFAULT; break; -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch index 9bf261b4c9..7de7ea73ef 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0014-asus-wmi-Restrict-debugfs-interface-when-the-kernel-.patch @@ -1,4 +1,4 @@ -From 09a257a1f105159ad9f4450c2968531c4cccf745 Mon Sep 17 00:00:00 2001 +From 55f5e715306286a687df1785757ce129f432ab10 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 Subject: [PATCH 14/24] asus-wmi: Restrict debugfs interface when the kernel is @@ -51,5 +51,5 @@ index 8fe5890..feef250 100644 1, asus->debug.method_id, &input, &output); -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch index 80f4498cb4..dc3a3e11a0 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0015-ACPI-Limit-access-to-custom_method-when-the-kernel-i.patch @@ -1,4 +1,4 @@ -From fac665360016f0601ce9c1b6d662d7bab23c8019 Mon Sep 17 00:00:00 2001 +From 9622882d597a407f6d08f2528f09bd0447159446 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Nov 2016 08:46:16 +0000 Subject: [PATCH 15/24] ACPI: Limit access to custom_method when the kernel is @@ -29,5 +29,5 @@ index c68e724..e4d721c 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch index 886ab57670..053b769591 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0016-acpi-Ignore-acpi_rsdp-kernel-param-when-the-kernel-h.patch @@ -1,4 +1,4 @@ -From 6af7fcaa158248e47ec3319c15226bdb83876749 Mon Sep 17 00:00:00 2001 +From f807f3b5151a867fc50140ba977e498333ec2fc4 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 22 Nov 2016 08:46:16 +0000 Subject: [PATCH 16/24] acpi: Ignore acpi_rsdp kernel param when the kernel has @@ -28,5 +28,5 @@ index db78d35..d4d4ba3 100644 #endif -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch index d0506e0826..e3dfc1b0bd 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0017-acpi-Disable-ACPI-table-override-if-the-kernel-is-lo.patch @@ -1,4 +1,4 @@ -From 3d13a2254fdb3bc3e618c45edf57324d37720e69 Mon Sep 17 00:00:00 2001 +From 2844417f1d840fd3aecad52f51bac40b7e014649 Mon Sep 17 00:00:00 2001 From: Linn Crosetto Date: Wed, 23 Nov 2016 13:32:27 +0000 Subject: [PATCH 17/24] acpi: Disable ACPI table override if the kernel is @@ -37,5 +37,5 @@ index 2604189..601096d 100644 memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS, all_tables_size, PAGE_SIZE); -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch index afd3091cb0..94405a9ab0 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0018-acpi-Disable-APEI-error-injection-if-the-kernel-is-l.patch @@ -1,4 +1,4 @@ -From 3109ef59a2ac9c3dc8255ec18f66970c2c4a207c Mon Sep 17 00:00:00 2001 +From 8599cf0d85258bb86d6c8acb393a18a971b5f4bd Mon Sep 17 00:00:00 2001 From: Linn Crosetto Date: Wed, 23 Nov 2016 13:39:41 +0000 Subject: [PATCH 18/24] acpi: Disable APEI error injection if the kernel is @@ -40,5 +40,5 @@ index ec50c32..e082718 100644 if (flags && (flags & ~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF))) -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch index bba91f8abb..61bce2701f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0019-bpf-Restrict-kernel-image-access-functions-when-the-.patch @@ -1,4 +1,4 @@ -From a8b6c30d4fd43d684b3594eb60d62382abc39050 Mon Sep 17 00:00:00 2001 +From 29786d6de058f55d7afa299ab64399768ab0c563 Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Wed, 23 Nov 2016 13:52:16 +0000 Subject: [PATCH 19/24] bpf: Restrict kernel image access functions when the @@ -53,5 +53,5 @@ index cee9802..7fde851 100644 for (i = 0; i < fmt_size; i++) { if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i])) -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0020-scsi-Lock-down-the-eata-driver.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0020-scsi-Lock-down-the-eata-driver.patch index 9bc5aebc8f..57c999baff 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0020-scsi-Lock-down-the-eata-driver.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0020-scsi-Lock-down-the-eata-driver.patch @@ -1,4 +1,4 @@ -From 8e46fe54f266e8bf44ee499c3e3965c909785751 Mon Sep 17 00:00:00 2001 +From 924c89af0064081b030f1aac58709e5daac002e9 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 22 Nov 2016 10:10:34 +0000 Subject: [PATCH 20/24] scsi: Lock down the eata driver @@ -43,5 +43,5 @@ index 227dd2c..5c036d1 100644 #if defined(MODULE) /* io_port could have been modified when loading as a module */ -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch index 71e8361fc0..9c1e5067a1 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0021-Prohibit-PCMCIA-CIS-storage-when-the-kernel-is-locke.patch @@ -1,4 +1,4 @@ -From 676e67b4574709c9d4dd7fe3ceef4b0fe236f99a Mon Sep 17 00:00:00 2001 +From 4c97245701c5eab51bbdc467e0826931732f8de4 Mon Sep 17 00:00:00 2001 From: David Howells Date: Fri, 25 Nov 2016 14:37:45 +0000 Subject: [PATCH 21/24] Prohibit PCMCIA CIS storage when the kernel is locked @@ -29,5 +29,5 @@ index 55ef7d1..193e4f7 100644 if (off) -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0022-Lock-down-TIOCSSERIAL.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0022-Lock-down-TIOCSSERIAL.patch index 32d8f01a76..75b3e11291 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0022-Lock-down-TIOCSSERIAL.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0022-Lock-down-TIOCSSERIAL.patch @@ -1,4 +1,4 @@ -From 754ca1eba971c80218e8dd21e816851721153dff Mon Sep 17 00:00:00 2001 +From c01c88ea695bd9c4be20c5d5cec0fa52d545bbe0 Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 7 Dec 2016 10:28:39 +0000 Subject: [PATCH 22/24] Lock down TIOCSSERIAL @@ -32,5 +32,5 @@ index 3fe5689..4181b00 100644 retval = -EPERM; if (change_irq || change_port || -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch index aa8ca4fc0e..aa0f27ff07 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0023-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch @@ -1,4 +1,4 @@ -From 888481838b62903a4b2709cb84595f89820589bb Mon Sep 17 00:00:00 2001 +From e140b45ea1af9b64d8a40c6f582b73fa13c3d55c Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Wed, 25 Nov 2015 02:59:45 -0800 Subject: [PATCH 23/24] kbuild: derive relative path for KBUILD_SRC from CURDIR @@ -12,7 +12,7 @@ by some undesirable path component. 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 4b074a9..723c84d 100644 +index d7b6483..9b326fd 100644 --- a/Makefile +++ b/Makefile @@ -149,7 +149,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make @@ -26,5 +26,5 @@ index 4b074a9..723c84d 100644 # Leave processing to above invocation of make -- -2.9.3 +2.9.4 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0024-Add-arm64-coreos-verity-hash.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0024-Add-arm64-coreos-verity-hash.patch index 6967428a13..f544ae85aa 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0024-Add-arm64-coreos-verity-hash.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.11/z0024-Add-arm64-coreos-verity-hash.patch @@ -1,4 +1,4 @@ -From 0ec3dd6e4d4b7a14e9fae62c6f2affe6b643063e Mon Sep 17 00:00:00 2001 +From b591b43709ccc14de525038531bf5a4a27c5566a Mon Sep 17 00:00:00 2001 From: Geoff Levand Date: Fri, 11 Nov 2016 17:28:52 -0800 Subject: [PATCH 24/24] Add arm64 coreos verity hash @@ -25,5 +25,5 @@ index 4fb6ccd..f791d18 100644 /* * The debug table is referenced via its Relative Virtual Address (RVA), -- -2.9.3 +2.9.4