mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-23 15:31:05 +02:00
Merge pull request #1813 from vcaputo/kernel-v4.4.3
sys-kernel/coreos-*: bump to 4.4.3
This commit is contained in:
Vito Caputo
commit
c0f30de524
@ -0,0 +1,9 @@
|
||||
# Copyright 2014 CoreOS, Inc.
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=5
|
||||
COREOS_SOURCE_REVISION=""
|
||||
inherit coreos-kernel
|
||||
|
||||
DESCRIPTION="CoreOS Linux kernel"
|
||||
KEYWORDS="amd64 arm64"
|
||||
@ -1 +1,2 @@
|
||||
DIST linux-4.3.tar.xz 86920812 SHA256 4a622cc84b8a3c38d39bc17195b0c064d2b46945dfde0dae18f77b120bc9f3ae SHA512 d25812043850530fdcfdb48523523ee980747f3c2c1266149330844dae2cba0d056d4ddd9c0f129f570f5d1f6df5c20385aec5f6a2e0755edc1e2f5f93e2c6bc WHIRLPOOL e3f131443acc14d4f67bbd3f4e1c57af3d822c41c85a112564d54667a591c8619dce42327fd8166d30a2d7adfaf433c2e2134d4995c91c08f65ac0cc2190f935
|
||||
DIST linux-4.4.tar.xz 87295988 SHA256 401d7c8fef594999a460d10c72c5a94e9c2e1022f16795ec51746b0d165418b2 SHA512 13c8459933a8b80608e226a1398e3d1848352ace84bcfb7e6a4a33cb230bbe1ab719d4b58e067283df91ce5311be6d2d595fc8c19e2ae6ecc652499415614b3e WHIRLPOOL 02abc203d867404b9934aaa4c1e5b5dcbb0b0021e91a03f3a7e7fd224eed106821d8b4949f32a590536db150e5a88c16fcde88538777a26d0c17900f0257b1bc
|
||||
DIST patch-4.4.3.xz 99576 SHA256 4a24c79c40b2cb820ce9f22d44f31edcbde5971432753ab0289772946ed05b7b SHA512 8477ecd07d06bc6c6d75dc95027920e1f41128fa8a6b382377d7a0a64ccbca719a464ef64397a3715e7ffe400640c6590ab5da691690472d1f9311ed82041d50 WHIRLPOOL 8f2c775d79731e32ed5ed3f50f3a5dd5a2a81e991a11e1d2234622bd20ccd9df3f8dcf1049f36f555238af7d7b457df738bb30e9766ff8ae5f3f4153e8078773
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
# Copyright 2014 CoreOS, Inc.
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI="5"
|
||||
ETYPE="sources"
|
||||
inherit kernel-2
|
||||
detect_version
|
||||
|
||||
DESCRIPTION="Full sources for the CoreOS Linux kernel"
|
||||
HOMEPAGE="http://www.kernel.org"
|
||||
SRC_URI="${KERNEL_URI}"
|
||||
|
||||
KEYWORDS="amd64 arm64"
|
||||
IUSE=""
|
||||
|
||||
PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
|
||||
# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g'
|
||||
UNIPATCH_LIST="
|
||||
${PATCH_DIR}/0001-Add-secure_modules-call.patch \
|
||||
${PATCH_DIR}/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
|
||||
${PATCH_DIR}/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \
|
||||
${PATCH_DIR}/0004-ACPI-Limit-access-to-custom_method.patch \
|
||||
${PATCH_DIR}/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
|
||||
${PATCH_DIR}/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
|
||||
${PATCH_DIR}/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
|
||||
${PATCH_DIR}/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
|
||||
${PATCH_DIR}/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
|
||||
${PATCH_DIR}/0010-Add-option-to-automatically-enforce-module-signature.patch \
|
||||
${PATCH_DIR}/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
|
||||
${PATCH_DIR}/0012-efi-Add-EFI_SECURE_BOOT-bit.patch \
|
||||
${PATCH_DIR}/0013-hibernate-Disable-in-a-signed-modules-environment.patch \
|
||||
${PATCH_DIR}/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch \
|
||||
${PATCH_DIR}/0015-Overlayfs-Use-copy-up-security-hooks.patch \
|
||||
${PATCH_DIR}/0016-SELinux-Stub-in-copy-up-handling.patch \
|
||||
${PATCH_DIR}/0017-SELinux-Handle-opening-of-a-unioned-file.patch \
|
||||
${PATCH_DIR}/0018-SELinux-Check-against-union-label-for-file-operation.patch \
|
||||
${PATCH_DIR}/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch \
|
||||
${PATCH_DIR}/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
|
||||
${PATCH_DIR}/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \
|
||||
"
|
||||
@ -0,0 +1,46 @@
|
||||
# Copyright 2014 CoreOS, Inc.
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI="5"
|
||||
ETYPE="sources"
|
||||
inherit kernel-2
|
||||
detect_version
|
||||
|
||||
DESCRIPTION="Full sources for the CoreOS Linux kernel"
|
||||
HOMEPAGE="http://www.kernel.org"
|
||||
SRC_URI="${KERNEL_URI}"
|
||||
|
||||
KEYWORDS="amd64 arm64"
|
||||
IUSE=""
|
||||
|
||||
PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
|
||||
|
||||
# XXX: Note we must prefix the patch filenames with "z" to ensure they are
|
||||
# applied _after_ a potential patch-${KV}.patch file, present when building a
|
||||
# patchlevel revision. We mustn't apply our patches first, it fails when the
|
||||
# local patches overlap with the upstream patch.
|
||||
|
||||
# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g'
|
||||
UNIPATCH_LIST="
|
||||
${PATCH_DIR}/z0001-Add-secure_modules-call.patch \
|
||||
${PATCH_DIR}/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
|
||||
${PATCH_DIR}/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \
|
||||
${PATCH_DIR}/z0004-ACPI-Limit-access-to-custom_method.patch \
|
||||
${PATCH_DIR}/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
|
||||
${PATCH_DIR}/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
|
||||
${PATCH_DIR}/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
|
||||
${PATCH_DIR}/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
|
||||
${PATCH_DIR}/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
|
||||
${PATCH_DIR}/z0010-Add-option-to-automatically-enforce-module-signature.patch \
|
||||
${PATCH_DIR}/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
|
||||
${PATCH_DIR}/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch \
|
||||
${PATCH_DIR}/z0013-hibernate-Disable-in-a-signed-modules-environment.patch \
|
||||
${PATCH_DIR}/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch \
|
||||
${PATCH_DIR}/z0015-Overlayfs-Use-copy-up-security-hooks.patch \
|
||||
${PATCH_DIR}/z0016-SELinux-Stub-in-copy-up-handling.patch \
|
||||
${PATCH_DIR}/z0017-SELinux-Handle-opening-of-a-unioned-file.patch \
|
||||
${PATCH_DIR}/z0018-SELinux-Check-against-union-label-for-file-operation.patch \
|
||||
${PATCH_DIR}/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
|
||||
${PATCH_DIR}/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \
|
||||
${PATCH_DIR}/z0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch \
|
||||
"
|
||||
@ -1,76 +0,0 @@
|
||||
From 7505098adc7a76c3d001831af40f39c86d624a67 Mon Sep 17 00:00:00 2001
|
||||
From: Vito Caputo <vito.caputo@coreos.com>
|
||||
Date: Mon, 19 Oct 2015 17:53:12 -0700
|
||||
Subject: [PATCH 19/21] overlayfs: use a minimal buffer in ovl_copy_xattr
|
||||
|
||||
Rather than always allocating the high-order XATTR_SIZE_MAX buffer
|
||||
which is costly and prone to failure, only allocate what is needed and
|
||||
realloc if necessary.
|
||||
|
||||
Fixes https://github.com/coreos/bugs/issues/489
|
||||
---
|
||||
fs/overlayfs/copy_up.c | 31 ++++++++++++++++++++++---------
|
||||
1 file changed, 22 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
|
||||
index f59e1d8..fff40c4 100644
|
||||
--- a/fs/overlayfs/copy_up.c
|
||||
+++ b/fs/overlayfs/copy_up.c
|
||||
@@ -22,8 +22,8 @@
|
||||
|
||||
int ovl_copy_xattr(struct dentry *old, struct dentry *new)
|
||||
{
|
||||
- ssize_t list_size, size;
|
||||
- char *buf, *name, *value;
|
||||
+ ssize_t list_size, size, value_size = 0;
|
||||
+ char *buf, *name, *value = NULL;
|
||||
int error;
|
||||
|
||||
if (!old->d_inode->i_op->getxattr ||
|
||||
@@ -41,23 +41,36 @@ int ovl_copy_xattr(struct dentry *old, struct dentry *new)
|
||||
if (!buf)
|
||||
return -ENOMEM;
|
||||
|
||||
- error = -ENOMEM;
|
||||
- value = kmalloc(XATTR_SIZE_MAX, GFP_KERNEL);
|
||||
- if (!value)
|
||||
- goto out;
|
||||
-
|
||||
list_size = vfs_listxattr(old, buf, list_size);
|
||||
if (list_size <= 0) {
|
||||
error = list_size;
|
||||
- goto out_free_value;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
for (name = buf; name < (buf + list_size); name += strlen(name) + 1) {
|
||||
- size = vfs_getxattr(old, name, value, XATTR_SIZE_MAX);
|
||||
+retry:
|
||||
+ size = vfs_getxattr(old, name, value, value_size);
|
||||
+ if (size == -ERANGE) {
|
||||
+ size = vfs_getxattr(old, name, NULL, 0);
|
||||
+ }
|
||||
+
|
||||
if (size <= 0) {
|
||||
error = size;
|
||||
goto out_free_value;
|
||||
}
|
||||
+
|
||||
+ if (size > value_size) {
|
||||
+ void *new;
|
||||
+ new = krealloc(value, size, GFP_KERNEL);
|
||||
+ if (!new) {
|
||||
+ error = -ENOMEM;
|
||||
+ goto out_free_value;
|
||||
+ }
|
||||
+ value = new;
|
||||
+ value_size = size;
|
||||
+ goto retry;
|
||||
+ }
|
||||
+
|
||||
error = security_inode_copy_up_xattr(old, new,
|
||||
name, value, &size);
|
||||
if (error < 0)
|
||||
--
|
||||
2.4.10
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 2e10f053682b2614c8689ab7cd792030adb37c3d Mon Sep 17 00:00:00 2001
|
||||
From d4d385a22ccc111d15661600328527902c40739c Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 17:58:15 -0400
|
||||
Subject: [PATCH 01/21] Add secure_modules() call
|
||||
@ -41,10 +41,10 @@ index 3a19c79..db38634 100644
|
||||
|
||||
#ifdef CONFIG_SYSFS
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index 38c7bd5..a8f8c64 100644
|
||||
index 14833e6..88bd7ec 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -4097,3 +4097,13 @@ void module_layout(struct module *mod,
|
||||
@@ -4101,3 +4101,13 @@ void module_layout(struct module *mod,
|
||||
}
|
||||
EXPORT_SYMBOL(module_layout);
|
||||
#endif
|
||||
@ -59,5 +59,5 @@ index 38c7bd5..a8f8c64 100644
|
||||
+}
|
||||
+EXPORT_SYMBOL(secure_modules);
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 8161285fced6623edd4c66f9c2d3ece69014a392 Mon Sep 17 00:00:00 2001
|
||||
From 444f189f7e20976a2464a8dfd9619f716b7f523c Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Thu, 8 Mar 2012 10:10:38 -0500
|
||||
Subject: [PATCH 02/21] PCI: Lock down BAR access when module security is
|
||||
@ -114,5 +114,5 @@ index b91c4da..98f5637 100644
|
||||
|
||||
dev = pci_get_bus_and_slot(bus, dfn);
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From f55838325eadbb393aaf61a61a177fd7ad2f0280 Mon Sep 17 00:00:00 2001
|
||||
From 2277563f06778502ded6abe65d843f2b60b3ce03 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Thu, 8 Mar 2012 10:35:59 -0500
|
||||
Subject: [PATCH 03/21] x86: Lock down IO port access when module security is
|
||||
@ -68,5 +68,5 @@ index 6b1721f..53fe675 100644
|
||||
return -EFAULT;
|
||||
while (count-- > 0 && i < 65536) {
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 957b35947b86b16d1baadce8ec63db80bfb6466a Mon Sep 17 00:00:00 2001
|
||||
From b033a8984baef5309907d1bda6323063522a9e26 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 08:39:37 -0500
|
||||
Subject: [PATCH 04/21] ACPI: Limit access to custom_method
|
||||
@ -27,5 +27,5 @@ index c68e724..4277938 100644
|
||||
/* parse the table header to get the table length */
|
||||
if (count <= sizeof(struct acpi_table_header))
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 86c4a0683e7310bad411a1834ce2b949d5bd4534 Mon Sep 17 00:00:00 2001
|
||||
From 0ead62ff1092f98ebba09c35a7877fa7cb8b84aa Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 08:46:50 -0500
|
||||
Subject: [PATCH 05/21] asus-wmi: Restrict debugfs interface when module
|
||||
@ -50,5 +50,5 @@ index f96f7b8..01af903 100644
|
||||
1, asus->debug.method_id,
|
||||
&input, &output);
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 03bc662b54a1a5978a2c840eba182b28e65f0c81 Mon Sep 17 00:00:00 2001
|
||||
From 78754044710d2afc46b910b3de24775ae6fdf0c5 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 09:28:15 -0500
|
||||
Subject: [PATCH 06/21] Restrict /dev/mem and /dev/kmem when module loading is
|
||||
@ -38,5 +38,5 @@ index 53fe675..b52c888 100644
|
||||
unsigned long to_write = min_t(unsigned long, count,
|
||||
(unsigned long)high_memory - p);
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 16d485311fc3079de4f5b986f2fc2f7d70274f8d Mon Sep 17 00:00:00 2001
|
||||
From c874298a9a0bf7d9041d6462c0225d17ad6e478d Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@redhat.com>
|
||||
Date: Mon, 25 Jun 2012 19:57:30 -0400
|
||||
Subject: [PATCH 07/21] acpi: Ignore acpi_rsdp kernel parameter when module
|
||||
@ -35,5 +35,5 @@ index 32d684a..f8570a0 100644
|
||||
#endif
|
||||
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 7d0d3cb705bb1ae5a739d0087e62844d3bec5e6f Mon Sep 17 00:00:00 2001
|
||||
From 4b0506ea0496f3fc847cdd7a6ef2966867d08f05 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg59@coreos.com>
|
||||
Date: Thu, 19 Nov 2015 18:55:53 -0800
|
||||
Subject: [PATCH 08/21] kexec: Disable at runtime if the kernel enforces module
|
||||
@ -35,5 +35,5 @@ index d873b64..3d09642 100644
|
||||
|
||||
/*
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From c682c72e808feb7c4dcb42ecaae7016c13ce5610 Mon Sep 17 00:00:00 2001
|
||||
From 5fe1e81ed7603157e00c8e333754225f5dcf8557 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 8 Feb 2013 11:12:13 -0800
|
||||
Subject: [PATCH 09/21] x86: Restrict MSR access when module loading is
|
||||
@ -40,5 +40,5 @@ index 113e707..26c2f83 100644
|
||||
err = -EFAULT;
|
||||
break;
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From abac45cbcaa27170eef195cb48c33a1b37071f2a Mon Sep 17 00:00:00 2001
|
||||
From 1a1dd3d6e85dc69e8eb5991dedf2c4030fb10366 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 18:36:30 -0400
|
||||
Subject: [PATCH 10/21] Add option to automatically enforce module signatures
|
||||
@ -164,10 +164,10 @@ index db38634..4b8df91 100644
|
||||
|
||||
extern int modules_disabled; /* for sysctl */
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index a8f8c64..3eb8c74 100644
|
||||
index 88bd7ec..e5117b67 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -4098,6 +4098,13 @@ void module_layout(struct module *mod,
|
||||
@@ -4102,6 +4102,13 @@ void module_layout(struct module *mod,
|
||||
EXPORT_SYMBOL(module_layout);
|
||||
#endif
|
||||
|
||||
@ -182,5 +182,5 @@ index a8f8c64..3eb8c74 100644
|
||||
{
|
||||
#ifdef CONFIG_MODULE_SIG
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 76ba8b2fee84c6489316547f19d03a0485f59dc3 Mon Sep 17 00:00:00 2001
|
||||
From 47adb92861b5ed64dfb451c87df65e3190c84559 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 27 Aug 2013 13:28:43 -0400
|
||||
Subject: [PATCH 11/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
|
||||
@ -26,5 +26,5 @@ index 5578b6e..da9ae8a 100644
|
||||
---help---
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 8d2a8d8ce61706a3a778ae9fd79cb5bab91a2817 Mon Sep 17 00:00:00 2001
|
||||
From f65b02e6559706984f60260fd7b56e62230c4a18 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 27 Aug 2013 13:33:03 -0400
|
||||
Subject: [PATCH 12/21] efi: Add EFI_SECURE_BOOT bit
|
||||
@ -39,5 +39,5 @@ index 569b5a8..4dc970e 100644
|
||||
#ifdef CONFIG_EFI
|
||||
/*
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From b671df07aed28fcbc9e470b52b8c1822f78303c0 Mon Sep 17 00:00:00 2001
|
||||
From 6c9baf862507876196ad55c98604cc75fa4c1b3d Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 20 Jun 2014 08:53:24 -0400
|
||||
Subject: [PATCH 13/21] hibernate: Disable in a signed modules environment
|
||||
@ -35,5 +35,5 @@ index b7342a2..8a6b218 100644
|
||||
|
||||
/**
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 9cb22840851be7a7f842229e6603a6b4b25e824d Mon Sep 17 00:00:00 2001
|
||||
From 2302270e90b6a78ce6a0de8ec5fa18072875b01d Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 16 Jun 2015 14:14:31 +0100
|
||||
Subject: [PATCH 14/21] Security: Provide copy-up security hooks for unioned
|
||||
@ -136,5 +136,5 @@ index 46f405c..e33c5d5 100644
|
||||
LIST_HEAD_INIT(security_hook_heads.file_permission),
|
||||
.file_alloc_security =
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 64ef0efdd90f5aae4fae7c76783b09af53d29dfe Mon Sep 17 00:00:00 2001
|
||||
From b8b4027d3d1666411c8f323236fe8c8c3a454137 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 16 Jun 2015 14:14:31 +0100
|
||||
Subject: [PATCH 15/21] Overlayfs: Use copy-up security hooks
|
||||
@ -13,25 +13,25 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
|
||||
index 0a89834..f59e1d8 100644
|
||||
index eff6319..e153e17 100644
|
||||
--- a/fs/overlayfs/copy_up.c
|
||||
+++ b/fs/overlayfs/copy_up.c
|
||||
@@ -58,6 +58,14 @@ int ovl_copy_xattr(struct dentry *old, struct dentry *new)
|
||||
error = size;
|
||||
goto out_free_value;
|
||||
@@ -70,6 +70,14 @@ retry:
|
||||
value_size = size;
|
||||
goto retry;
|
||||
}
|
||||
+ error = security_inode_copy_up_xattr(old, new,
|
||||
+ name, value, &size);
|
||||
+ if (error < 0)
|
||||
+ goto out_free_value;
|
||||
+ break;
|
||||
+ if (error == 1) {
|
||||
+ error = 0;
|
||||
+ continue; /* Discard */
|
||||
+ }
|
||||
|
||||
error = vfs_setxattr(new, name, value, size, 0);
|
||||
if (error)
|
||||
goto out_free_value;
|
||||
@@ -222,6 +230,10 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
|
||||
@@ -233,6 +241,10 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
|
||||
if (err)
|
||||
goto out2;
|
||||
|
||||
@ -43,5 +43,5 @@ index 0a89834..f59e1d8 100644
|
||||
struct path upperpath;
|
||||
ovl_path_upper(dentry, &upperpath);
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 38d19edb9bae02a9e78b26a7b2c4f0980ee13ee3 Mon Sep 17 00:00:00 2001
|
||||
From 98e460005ad53f5c92fc070a177bcb2f5daa8d7d Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 16 Jun 2015 14:14:32 +0100
|
||||
Subject: [PATCH 16/21] SELinux: Stub in copy-up handling
|
||||
@ -51,5 +51,5 @@ index d0cfaa9..d062209 100644
|
||||
LSM_HOOK_INIT(file_permission, selinux_file_permission),
|
||||
LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 3e6ccc54dd0383a8c57287f9e63f392595e28cb1 Mon Sep 17 00:00:00 2001
|
||||
From 3bdeb87a02c98c290c46aad2d16b1a70a28ee19e Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 16 Jun 2015 14:14:32 +0100
|
||||
Subject: [PATCH 17/21] SELinux: Handle opening of a unioned file
|
||||
@ -129,5 +129,5 @@ index 81fa718..f088c08 100644
|
||||
};
|
||||
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 7b0a1257f4b4a35f087db9120b684d3a9c8181e5 Mon Sep 17 00:00:00 2001
|
||||
From 19c9589933e63e418736e12aeff9d4f5b08054e7 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 16 Jun 2015 14:14:32 +0100
|
||||
Subject: [PATCH 18/21] SELinux: Check against union label for file operations
|
||||
@ -46,5 +46,5 @@ index 5f0a11f..e33019e 100644
|
||||
out:
|
||||
return rc;
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From b0a4a60266e116f35e31a2054d9769f23dc88a95 Mon Sep 17 00:00:00 2001
|
||||
From 274bc65fa0a1185d50b45fe84a8647af63cdb6ee Mon Sep 17 00:00:00 2001
|
||||
From: Vito Caputo <vito.caputo@coreos.com>
|
||||
Date: Wed, 25 Nov 2015 02:59:45 -0800
|
||||
Subject: [PATCH 20/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
|
||||
Subject: [PATCH 19/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
|
||||
|
||||
This enables relocating source and build trees to different roots,
|
||||
provided they stay reachable relative to one another. Useful for
|
||||
@ -12,7 +12,7 @@ by some undesirable path component.
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index c6a265b..8125380 100644
|
||||
index 802be10..2d2f994 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -143,7 +143,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
|
||||
@ -26,5 +26,5 @@ index c6a265b..8125380 100644
|
||||
|
||||
# Leave processing to above invocation of make
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 196c562e9a0ef9a1580f35c014ee7f4669cfb5d7 Mon Sep 17 00:00:00 2001
|
||||
From 18b8e9f92afd62598d454e68138dda551ce7d381 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg59@coreos.com>
|
||||
Date: Tue, 22 Dec 2015 07:43:52 +0000
|
||||
Subject: [PATCH 21/21] Don't verify write permissions on lower inodes on
|
||||
Subject: [PATCH 20/21] Don't verify write permissions on lower inodes on
|
||||
overlayfs
|
||||
|
||||
If a user opens a file r/w on overlayfs, and if the underlying inode is
|
||||
@ -19,10 +19,10 @@ the selinux permissions check if that flag is set.
|
||||
3 files changed, 13 insertions(+)
|
||||
|
||||
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
|
||||
index 4060ffd..b6f02f2 100644
|
||||
index b29036a..545b856 100644
|
||||
--- a/fs/overlayfs/inode.c
|
||||
+++ b/fs/overlayfs/inode.c
|
||||
@@ -125,6 +125,9 @@ int ovl_permission(struct inode *inode, int mask)
|
||||
@@ -138,6 +138,9 @@ int ovl_permission(struct inode *inode, int mask)
|
||||
goto out_dput;
|
||||
}
|
||||
|
||||
@ -65,5 +65,5 @@ index e33019e..48746ee 100644
|
||||
|
||||
/* No permission to check. Existence test. */
|
||||
--
|
||||
2.4.10
|
||||
2.4.6
|
||||
|
||||
@ -0,0 +1,36 @@
|
||||
From 19dcc9bee719a81d3b2ed1386e76c9c2ae5a87c7 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg59@coreos.com>
|
||||
Date: Tue, 1 Mar 2016 15:00:15 -0800
|
||||
Subject: [PATCH 21/21] Fix unallocated memory access in TPM eventlog code
|
||||
|
||||
COmmit 0cc698 added support for handling endian fixups in the event log code
|
||||
but broke the binary log file in the process. Keep the endian code, but read
|
||||
the event data from the actual event rather than from unallocated RAM.
|
||||
|
||||
Signed-off-by: Matthew Garrett <mjg59@coreos.com>
|
||||
Cc: stable@kernel.org
|
||||
---
|
||||
drivers/char/tpm/tpm_eventlog.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c
|
||||
index bd72fb0..e47092c 100644
|
||||
--- a/drivers/char/tpm/tpm_eventlog.c
|
||||
+++ b/drivers/char/tpm/tpm_eventlog.c
|
||||
@@ -244,7 +244,12 @@ static int tpm_binary_bios_measurements_show(struct seq_file *m, void *v)
|
||||
|
||||
tempPtr = (char *)&temp_event;
|
||||
|
||||
- for (i = 0; i < sizeof(struct tcpa_event) + temp_event.event_size; i++)
|
||||
+ for (i = 0; i < sizeof(struct tcpa_event); i++)
|
||||
+ seq_putc(m, tempPtr[i]);
|
||||
+
|
||||
+ tempPtr = (char *)&event->event_data;
|
||||
+
|
||||
+ for (i = 0; i < temp_event.event_size; i++)
|
||||
seq_putc(m, tempPtr[i]);
|
||||
|
||||
return 0;
|
||||
--
|
||||
2.4.6
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user