From b26af9b803a564bd79422aab99bdd2e8f8876aa0 Mon Sep 17 00:00:00 2001
From: Alex Crawford <alex.crawford@coreos.com>
Date: Tue, 5 Apr 2016 15:26:53 -0700
Subject: [PATCH] coreos-{kernel,sources}: fix build

The previous merge was missing defconfigs and had a typo in on of the overlay
patches.
---
 ...0.ebuild => coreos-kernel-4.5.0-r1.ebuild} |  2 +-
 ...md64_defconfig-4.4 => amd64_defconfig-4.5} | 13 +++---
 ...rm64_defconfig-4.4 => arm64_defconfig-4.5} | 13 +++---
 ....ebuild => coreos-sources-4.5.0-r1.ebuild} |  6 +--
 .../4.5/0001-Add-secure_modules-call.patch    |  2 +-
 ...R-access-when-module-security-is-ena.patch |  2 +-
 ...-port-access-when-module-security-is.patch |  2 +-
 ...4-ACPI-Limit-access-to-custom_method.patch |  2 +-
 ...t-debugfs-interface-when-module-load.patch |  2 +-
 ...-and-dev-kmem-when-module-loading-is.patch |  2 +-
 ..._rsdp-kernel-parameter-when-module-l.patch |  2 +-
 ...-runtime-if-the-kernel-enforces-modu.patch |  2 +-
 ...-access-when-module-loading-is-restr.patch |  2 +-
 ...tomatically-enforce-module-signature.patch |  2 +-
 ...ECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch |  2 +-
 .../0012-efi-Add-EFI_SECURE_BOOT-bit.patch    |  2 +-
 ...able-in-a-signed-modules-environment.patch |  2 +-
 ...-copy-up-security-hooks-for-unioned-.patch |  2 +-
 ...Overlayfs-Use-copy-up-security-hooks.patch |  6 +--
 ...016-SELinux-Stub-in-copy-up-handling.patch |  2 +-
 ...nux-Handle-opening-of-a-unioned-file.patch |  2 +-
 ...ainst-union-label-for-file-operation.patch |  2 +-
 ...ative-path-for-KBUILD_SRC-from-CURD.patch} |  4 +-
 ...e-a-minimal-buffer-in-ovl_copy_xattr.patch | 41 -------------------
 ...e-permissions-on-lower-inodes-on-ov.patch} |  4 +-
 ...d-memory-access-in-TPM-eventlog-code.patch | 36 ++++++++++++++++
 26 files changed, 76 insertions(+), 83 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.5.0.ebuild => coreos-kernel-4.5.0-r1.ebuild} (86%)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/{amd64_defconfig-4.4 => amd64_defconfig-4.5} (99%)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/{arm64_defconfig-4.4 => arm64_defconfig-4.5} (99%)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-4.5.0.ebuild => coreos-sources-4.5.0-r1.ebuild} (90%)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/{0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch => 0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch} (87%)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/{0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch => 0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch} (94%)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.5.0.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.5.0-r1.ebuild
similarity index 86%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.5.0.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.5.0-r1.ebuild
index ad6f2587f5..4cdc6203e3 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.5.0.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.5.0-r1.ebuild
@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION=""
+COREOS_SOURCE_REVISION="-r1"
 inherit coreos-kernel
 
 DESCRIPTION="CoreOS Linux kernel"
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.4 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.5
similarity index 99%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.4
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.5
index 9f06232dbc..e0982dba8c 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.4
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.5
@@ -15,17 +15,16 @@ CONFIG_IKCONFIG=y
 CONFIG_IKCONFIG_PROC=y
 CONFIG_LOG_BUF_SHIFT=18
 CONFIG_NUMA_BALANCING=y
-CONFIG_CGROUP_FREEZER=y
-CONFIG_CGROUP_DEVICE=y
-CONFIG_CPUSETS=y
-CONFIG_CGROUP_CPUACCT=y
 CONFIG_MEMCG=y
 CONFIG_MEMCG_SWAP=y
-CONFIG_MEMCG_KMEM=y
-CONFIG_CGROUP_PERF=y
+CONFIG_BLK_CGROUP=y
 CONFIG_CFS_BANDWIDTH=y
 CONFIG_RT_GROUP_SCHED=y
-CONFIG_BLK_CGROUP=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CPUSETS=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_PERF=y
 CONFIG_CHECKPOINT_RESTORE=y
 CONFIG_NAMESPACES=y
 CONFIG_USER_NS=y
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.4 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.5
similarity index 99%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.4
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.5
index ef8afa0d49..afb60f0d03 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.4
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.5
@@ -14,19 +14,18 @@ CONFIG_TASK_IO_ACCOUNTING=y
 CONFIG_IKCONFIG=y
 CONFIG_IKCONFIG_PROC=y
 CONFIG_LOG_BUF_SHIFT=14
-CONFIG_CGROUP_FREEZER=y
-CONFIG_CGROUP_DEVICE=y
-CONFIG_CPUSETS=y
 # CONFIG_PROC_PID_CPUSET is not set
-CONFIG_CGROUP_CPUACCT=y
 CONFIG_MEMCG=y
 CONFIG_MEMCG_SWAP=y
-CONFIG_MEMCG_KMEM=y
 CONFIG_CGROUP_HUGETLB=y
-CONFIG_CGROUP_PERF=y
+CONFIG_BLK_CGROUP=y
 CONFIG_CFS_BANDWIDTH=y
 CONFIG_RT_GROUP_SCHED=y
-CONFIG_BLK_CGROUP=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CPUSETS=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_PERF=y
 CONFIG_USER_NS=y
 CONFIG_SCHED_AUTOGROUP=y
 CONFIG_BLK_DEV_INITRD=y
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.5.0.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.5.0-r1.ebuild
similarity index 90%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.5.0.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.5.0-r1.ebuild
index 3dfa523e47..180241e8bb 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.5.0.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.5.0-r1.ebuild
@@ -40,7 +40,7 @@ UNIPATCH_LIST="
 		${PATCH_DIR}/0016-SELinux-Stub-in-copy-up-handling.patch \
 		${PATCH_DIR}/0017-SELinux-Handle-opening-of-a-unioned-file.patch \
 		${PATCH_DIR}/0018-SELinux-Check-against-union-label-for-file-operation.patch \
-		${PATCH_DIR}/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch \
-		${PATCH_DIR}/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
-		${PATCH_DIR}/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \
+		${PATCH_DIR}/0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
+		${PATCH_DIR}/0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \
+		${PATCH_DIR}/0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch \
 "
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0001-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0001-Add-secure_modules-call.patch
index e8d74e1617..03e2d19b5e 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0001-Add-secure_modules-call.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0001-Add-secure_modules-call.patch
@@ -1,4 +1,4 @@
-From fcf2db4366ca7c0ca81bfbee603b864b4347cbe5 Mon Sep 17 00:00:00 2001
+From 02edef7def11ef45c9dca82382f4d5037b359ce6 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 17:58:15 -0400
 Subject: [PATCH 01/21] Add secure_modules() call
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
index b8f748a4f7..4896cc53f3 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
@@ -1,4 +1,4 @@
-From 00d259d880af2beb8e40f54fc391f9bcff74dd8e Mon Sep 17 00:00:00 2001
+From 4f9bf3ce823a63e72687fa331bdcfd9050f00b54 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:10:38 -0500
 Subject: [PATCH 02/21] PCI: Lock down BAR access when module security is
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch
index 2f53a8aee8..d5a6ead5aa 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch
@@ -1,4 +1,4 @@
-From b6df0aa8a4a37a61c84eaa81d7e5ceef59e2aa59 Mon Sep 17 00:00:00 2001
+From fbcd2f7543b10fb9ff7075eab04aafc8ced67761 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:35:59 -0500
 Subject: [PATCH 03/21] x86: Lock down IO port access when module security is
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0004-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0004-ACPI-Limit-access-to-custom_method.patch
index 60af4fb9e0..5c3b13ace3 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0004-ACPI-Limit-access-to-custom_method.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0004-ACPI-Limit-access-to-custom_method.patch
@@ -1,4 +1,4 @@
-From 23fd87347efce05c7500210e38c4e557d2314b65 Mon Sep 17 00:00:00 2001
+From c84966668b5d607812d3f3788dcfa7fbcab400a3 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:39:37 -0500
 Subject: [PATCH 04/21] ACPI: Limit access to custom_method
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch
index 990409d446..705c896545 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch
@@ -1,4 +1,4 @@
-From cb9a6384b9fb18f33bdf2717df93aba01e32b17d Mon Sep 17 00:00:00 2001
+From aafea7dbb04999694c5d7514a8ade6dffc80b6a8 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:46:50 -0500
 Subject: [PATCH 05/21] asus-wmi: Restrict debugfs interface when module
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
index 5aec2da86c..e79fa00dfb 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
@@ -1,4 +1,4 @@
-From eecc59493292b4fc199cee082b88f2deec02018d Mon Sep 17 00:00:00 2001
+From e1a26d978277b78e5f0f393018cecc2e6f6660ab Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 09:28:15 -0500
 Subject: [PATCH 06/21] Restrict /dev/mem and /dev/kmem when module loading is
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
index 11851d67f3..77d34137af 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
@@ -1,4 +1,4 @@
-From e2d101b00ccfba464fd82db710dcae260c17fc1d Mon Sep 17 00:00:00 2001
+From 2d464f9da317e687e5fa03b7a079ad811192f491 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Mon, 25 Jun 2012 19:57:30 -0400
 Subject: [PATCH 07/21] acpi: Ignore acpi_rsdp kernel parameter when module
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
index 5d8917755f..4d4adec179 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
@@ -1,4 +1,4 @@
-From cebac394600acad86fac15fbafc01693ab6fdd5c Mon Sep 17 00:00:00 2001
+From e6288d2d10780371525b4fadaabc8c2d5ac87ad8 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Thu, 19 Nov 2015 18:55:53 -0800
 Subject: [PATCH 08/21] kexec: Disable at runtime if the kernel enforces module
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch
index bf77c2ae55..08dbf62f04 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch
@@ -1,4 +1,4 @@
-From fe362fcdfb3eda249a88790c4d6003a551c586cd Mon Sep 17 00:00:00 2001
+From 0cf91ec9a013fe36fc934519e02d5ac3a281b907 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 8 Feb 2013 11:12:13 -0800
 Subject: [PATCH 09/21] x86: Restrict MSR access when module loading is
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0010-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0010-Add-option-to-automatically-enforce-module-signature.patch
index 3b8d4c3a03..3f0b5763be 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0010-Add-option-to-automatically-enforce-module-signature.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0010-Add-option-to-automatically-enforce-module-signature.patch
@@ -1,4 +1,4 @@
-From 323216a1694f4d402ce89432d75b7d2756417b68 Mon Sep 17 00:00:00 2001
+From 6e0533e9784929c426d8b9b8566f28d7b79aa109 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 18:36:30 -0400
 Subject: [PATCH 10/21] Add option to automatically enforce module signatures
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
index 970e7a8cab..d400ebe478 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
@@ -1,4 +1,4 @@
-From dbfa35d390791ae9c39f043fe0209c4fc4b1ec7b Mon Sep 17 00:00:00 2001
+From 635479012d1f2ecc3109f8d026286ed54e429e89 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:28:43 -0400
 Subject: [PATCH 11/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0012-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0012-efi-Add-EFI_SECURE_BOOT-bit.patch
index 3043473146..53b9c66123 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0012-efi-Add-EFI_SECURE_BOOT-bit.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0012-efi-Add-EFI_SECURE_BOOT-bit.patch
@@ -1,4 +1,4 @@
-From f8c98a5d526a3627cad4dd5b6cc81bf12f862326 Mon Sep 17 00:00:00 2001
+From a3ac48fab6c056a4857dcb1adea99871d5846cd8 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:33:03 -0400
 Subject: [PATCH 12/21] efi: Add EFI_SECURE_BOOT bit
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0013-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0013-hibernate-Disable-in-a-signed-modules-environment.patch
index 895e1d90bc..e01c7b5fa4 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0013-hibernate-Disable-in-a-signed-modules-environment.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0013-hibernate-Disable-in-a-signed-modules-environment.patch
@@ -1,4 +1,4 @@
-From 5cb706dfbad58dfee5ee54346d47d1cb588219c3 Mon Sep 17 00:00:00 2001
+From 4483ccc2fb447291aaafe690570437e72b54a396 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 20 Jun 2014 08:53:24 -0400
 Subject: [PATCH 13/21] hibernate: Disable in a signed modules environment
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch
index f8fb3ef686..4fcfe4a986 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch
@@ -1,4 +1,4 @@
-From 7aa0a80475c2c565a5128d85c148af92560c8fa3 Mon Sep 17 00:00:00 2001
+From 5b5cf4e83fc167101790192e8f6711fb9f879101 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:31 +0100
 Subject: [PATCH 14/21] Security: Provide copy-up security hooks for unioned
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0015-Overlayfs-Use-copy-up-security-hooks.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0015-Overlayfs-Use-copy-up-security-hooks.patch
index 926b17c8a7..e3f4c8c2e4 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0015-Overlayfs-Use-copy-up-security-hooks.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0015-Overlayfs-Use-copy-up-security-hooks.patch
@@ -1,4 +1,4 @@
-From 72e28365e6ab54a078af74a958ed25ad85228b31 Mon Sep 17 00:00:00 2001
+From eabd104a61199840d5dfe65a8a6eb353fc112600 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:31 +0100
 Subject: [PATCH 15/21] Overlayfs: Use copy-up security hooks
@@ -13,7 +13,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 12 insertions(+)
 
 diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
-index d894e7c..fa6610a 100644
+index d894e7c..41ca95d 100644
 --- a/fs/overlayfs/copy_up.c
 +++ b/fs/overlayfs/copy_up.c
 @@ -70,6 +70,14 @@ retry:
@@ -23,7 +23,7 @@ index d894e7c..fa6610a 100644
 +		error = security_inode_copy_up_xattr(old, new,
 +						     name, value, &size);
 +		if (error < 0)
-+			goto out_free_value;
++			break;
 +		if (error == 1) {
 +			error = 0;
 +			continue; /* Discard */
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0016-SELinux-Stub-in-copy-up-handling.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0016-SELinux-Stub-in-copy-up-handling.patch
index 1b896993a1..bc4f358da9 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0016-SELinux-Stub-in-copy-up-handling.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0016-SELinux-Stub-in-copy-up-handling.patch
@@ -1,4 +1,4 @@
-From 7640e15f1c2473e7d698e5f66aa7290f4f1b5fcd Mon Sep 17 00:00:00 2001
+From 798fc50146e1c819932435bb2e0d92ef180fad81 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
 Subject: [PATCH 16/21] SELinux: Stub in copy-up handling
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0017-SELinux-Handle-opening-of-a-unioned-file.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0017-SELinux-Handle-opening-of-a-unioned-file.patch
index 4e2f09b62d..8a28f9ac2f 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0017-SELinux-Handle-opening-of-a-unioned-file.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0017-SELinux-Handle-opening-of-a-unioned-file.patch
@@ -1,4 +1,4 @@
-From dfaa3503791924a8ffebbed60073f5f8715093a3 Mon Sep 17 00:00:00 2001
+From 7c5c4e06a08f0f397e44bd88e8aff169fa407af6 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
 Subject: [PATCH 17/21] SELinux: Handle opening of a unioned file
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0018-SELinux-Check-against-union-label-for-file-operation.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0018-SELinux-Check-against-union-label-for-file-operation.patch
index ff0bf98a66..da56ea3323 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0018-SELinux-Check-against-union-label-for-file-operation.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0018-SELinux-Check-against-union-label-for-file-operation.patch
@@ -1,4 +1,4 @@
-From 52ad0951b6bfb8f10f57d6c26dca14925c772539 Mon Sep 17 00:00:00 2001
+From 92ca3f0e63d46f131f75f57ef2b6a44bd8acd2ab Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
 Subject: [PATCH 18/21] SELinux: Check against union label for file operations
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
similarity index 87%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
index 4b45c50f42..7a853c56ed 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
@@ -1,7 +1,7 @@
-From 446a9480ed10cff1f2657b94d21f4b40edaf0140 Mon Sep 17 00:00:00 2001
+From cb9ecb801b14c59df0a34717eb7ff4e5caff44e4 Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 20/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 19/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch
deleted file mode 100644
index 3e01d6d4fd..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 6f36c5dba801f60119a75e20dd9df5369f005144 Mon Sep 17 00:00:00 2001
-From: Vito Caputo <vito.caputo@coreos.com>
-Date: Mon, 19 Oct 2015 17:53:12 -0700
-Subject: [PATCH 19/21] overlayfs: use a minimal buffer in ovl_copy_xattr
-
-Rather than always allocating the high-order XATTR_SIZE_MAX buffer
-which is costly and prone to failure, only allocate what is needed and
-realloc if necessary.
-
-Fixes https://github.com/coreos/bugs/issues/489
----
- fs/overlayfs/copy_up.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
-index fa6610a..78c1aa3 100644
---- a/fs/overlayfs/copy_up.c
-+++ b/fs/overlayfs/copy_up.c
-@@ -70,6 +70,19 @@ retry:
- 			value_size = size;
- 			goto retry;
- 		}
-+
-+		if (size > value_size) {
-+			void *new;
-+			new = krealloc(value, size, GFP_KERNEL);
-+			if (!new) {
-+				error = -ENOMEM;
-+				goto out_free_value;
-+			}
-+			value = new;
-+			value_size = size;
-+			goto retry;
-+		}
-+
- 		error = security_inode_copy_up_xattr(old, new,
- 						     name, value, &size);
- 		if (error < 0)
--- 
-2.7.3
-
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch
similarity index 94%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch
index fb7d1762a2..18b6daab5d 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch
@@ -1,7 +1,7 @@
-From b9136a24769ff9012e96ca4936108ffc5995916e Mon Sep 17 00:00:00 2001
+From a19700db885d083eebff877f9b14e387d824f812 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Tue, 22 Dec 2015 07:43:52 +0000
-Subject: [PATCH 21/21] Don't verify write permissions on lower inodes on
+Subject: [PATCH 20/21] Don't verify write permissions on lower inodes on
  overlayfs
 
 If a user opens a file r/w on overlayfs, and if the underlying inode is
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch
new file mode 100644
index 0000000000..ff2eb0c86d
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.5/0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch
@@ -0,0 +1,36 @@
+From 86ecc1a1941cb41b49bc16628d11bb5ef7f2cb43 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg59@coreos.com>
+Date: Tue, 1 Mar 2016 15:00:15 -0800
+Subject: [PATCH 21/21] Fix unallocated memory access in TPM eventlog code
+
+COmmit 0cc698 added support for handling endian fixups in the event log code
+but broke the binary log file in the process. Keep the endian code, but read
+the event data from the actual event rather than from unallocated RAM.
+
+Signed-off-by: Matthew Garrett <mjg59@coreos.com>
+Cc: stable@kernel.org
+---
+ drivers/char/tpm/tpm_eventlog.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c
+index bd72fb0..e47092c 100644
+--- a/drivers/char/tpm/tpm_eventlog.c
++++ b/drivers/char/tpm/tpm_eventlog.c
+@@ -244,7 +244,12 @@ static int tpm_binary_bios_measurements_show(struct seq_file *m, void *v)
+ 
+ 	tempPtr = (char *)&temp_event;
+ 
+-	for (i = 0; i < sizeof(struct tcpa_event) + temp_event.event_size; i++)
++	for (i = 0; i < sizeof(struct tcpa_event); i++)
++		seq_putc(m, tempPtr[i]);
++
++	tempPtr = (char *)&event->event_data;
++
++	for (i = 0; i < temp_event.event_size; i++)
+ 		seq_putc(m, tempPtr[i]);
+ 
+ 	return 0;
+-- 
+2.7.3
+