diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.4.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.4.3.ebuild new file mode 100644 index 0000000000..ad6f2587f5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.4.3.ebuild @@ -0,0 +1,9 @@ +# Copyright 2014 CoreOS, Inc. +# Distributed under the terms of the GNU General Public License v2 + +EAPI=5 +COREOS_SOURCE_REVISION="" +inherit coreos-kernel + +DESCRIPTION="CoreOS Linux kernel" +KEYWORDS="amd64 arm64" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index 2146efa517..6b87f3c1e4 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1 +1,2 @@ -DIST linux-4.3.tar.xz 86920812 SHA256 4a622cc84b8a3c38d39bc17195b0c064d2b46945dfde0dae18f77b120bc9f3ae SHA512 d25812043850530fdcfdb48523523ee980747f3c2c1266149330844dae2cba0d056d4ddd9c0f129f570f5d1f6df5c20385aec5f6a2e0755edc1e2f5f93e2c6bc WHIRLPOOL e3f131443acc14d4f67bbd3f4e1c57af3d822c41c85a112564d54667a591c8619dce42327fd8166d30a2d7adfaf433c2e2134d4995c91c08f65ac0cc2190f935 +DIST linux-4.4.tar.xz 87295988 SHA256 401d7c8fef594999a460d10c72c5a94e9c2e1022f16795ec51746b0d165418b2 SHA512 13c8459933a8b80608e226a1398e3d1848352ace84bcfb7e6a4a33cb230bbe1ab719d4b58e067283df91ce5311be6d2d595fc8c19e2ae6ecc652499415614b3e WHIRLPOOL 02abc203d867404b9934aaa4c1e5b5dcbb0b0021e91a03f3a7e7fd224eed106821d8b4949f32a590536db150e5a88c16fcde88538777a26d0c17900f0257b1bc +DIST patch-4.4.3.xz 99576 SHA256 4a24c79c40b2cb820ce9f22d44f31edcbde5971432753ab0289772946ed05b7b SHA512 8477ecd07d06bc6c6d75dc95027920e1f41128fa8a6b382377d7a0a64ccbca719a464ef64397a3715e7ffe400640c6590ab5da691690472d1f9311ed82041d50 WHIRLPOOL 8f2c775d79731e32ed5ed3f50f3a5dd5a2a81e991a11e1d2234622bd20ccd9df3f8dcf1049f36f555238af7d7b457df738bb30e9766ff8ae5f3f4153e8078773 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.1.ebuild deleted file mode 100644 index d2ba3fc59d..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.1.ebuild +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2014 CoreOS, Inc. -# Distributed under the terms of the GNU General Public License v2 - -EAPI="5" -ETYPE="sources" -inherit kernel-2 -detect_version - -DESCRIPTION="Full sources for the CoreOS Linux kernel" -HOMEPAGE="http://www.kernel.org" -SRC_URI="${KERNEL_URI}" - -KEYWORDS="amd64 arm64" -IUSE="" - -PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" -# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g' -UNIPATCH_LIST=" - ${PATCH_DIR}/0001-Add-secure_modules-call.patch \ - ${PATCH_DIR}/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ - ${PATCH_DIR}/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \ - ${PATCH_DIR}/0004-ACPI-Limit-access-to-custom_method.patch \ - ${PATCH_DIR}/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ - ${PATCH_DIR}/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ - ${PATCH_DIR}/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ - ${PATCH_DIR}/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ - ${PATCH_DIR}/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ - ${PATCH_DIR}/0010-Add-option-to-automatically-enforce-module-signature.patch \ - ${PATCH_DIR}/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ - ${PATCH_DIR}/0012-efi-Add-EFI_SECURE_BOOT-bit.patch \ - ${PATCH_DIR}/0013-hibernate-Disable-in-a-signed-modules-environment.patch \ - ${PATCH_DIR}/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch \ - ${PATCH_DIR}/0015-Overlayfs-Use-copy-up-security-hooks.patch \ - ${PATCH_DIR}/0016-SELinux-Stub-in-copy-up-handling.patch \ - ${PATCH_DIR}/0017-SELinux-Handle-opening-of-a-unioned-file.patch \ - ${PATCH_DIR}/0018-SELinux-Check-against-union-label-for-file-operation.patch \ - ${PATCH_DIR}/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch \ - ${PATCH_DIR}/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ - ${PATCH_DIR}/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \ -" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.3.ebuild new file mode 100644 index 0000000000..b31615da8a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.3.ebuild @@ -0,0 +1,46 @@ +# Copyright 2014 CoreOS, Inc. +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" +ETYPE="sources" +inherit kernel-2 +detect_version + +DESCRIPTION="Full sources for the CoreOS Linux kernel" +HOMEPAGE="http://www.kernel.org" +SRC_URI="${KERNEL_URI}" + +KEYWORDS="amd64 arm64" +IUSE="" + +PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" + +# XXX: Note we must prefix the patch filenames with "z" to ensure they are +# applied _after_ a potential patch-${KV}.patch file, present when building a +# patchlevel revision. We mustn't apply our patches first, it fails when the +# local patches overlap with the upstream patch. + +# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g' +UNIPATCH_LIST=" + ${PATCH_DIR}/z0001-Add-secure_modules-call.patch \ + ${PATCH_DIR}/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ + ${PATCH_DIR}/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \ + ${PATCH_DIR}/z0004-ACPI-Limit-access-to-custom_method.patch \ + ${PATCH_DIR}/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ + ${PATCH_DIR}/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ + ${PATCH_DIR}/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ + ${PATCH_DIR}/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ + ${PATCH_DIR}/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ + ${PATCH_DIR}/z0010-Add-option-to-automatically-enforce-module-signature.patch \ + ${PATCH_DIR}/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ + ${PATCH_DIR}/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch \ + ${PATCH_DIR}/z0013-hibernate-Disable-in-a-signed-modules-environment.patch \ + ${PATCH_DIR}/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch \ + ${PATCH_DIR}/z0015-Overlayfs-Use-copy-up-security-hooks.patch \ + ${PATCH_DIR}/z0016-SELinux-Stub-in-copy-up-handling.patch \ + ${PATCH_DIR}/z0017-SELinux-Handle-opening-of-a-unioned-file.patch \ + ${PATCH_DIR}/z0018-SELinux-Check-against-union-label-for-file-operation.patch \ + ${PATCH_DIR}/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ + ${PATCH_DIR}/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \ + ${PATCH_DIR}/z0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch \ +" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch deleted file mode 100644 index 76d7b09290..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 7505098adc7a76c3d001831af40f39c86d624a67 Mon Sep 17 00:00:00 2001 -From: Vito Caputo -Date: Mon, 19 Oct 2015 17:53:12 -0700 -Subject: [PATCH 19/21] overlayfs: use a minimal buffer in ovl_copy_xattr - -Rather than always allocating the high-order XATTR_SIZE_MAX buffer -which is costly and prone to failure, only allocate what is needed and -realloc if necessary. - -Fixes https://github.com/coreos/bugs/issues/489 ---- - fs/overlayfs/copy_up.c | 31 ++++++++++++++++++++++--------- - 1 file changed, 22 insertions(+), 9 deletions(-) - -diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c -index f59e1d8..fff40c4 100644 ---- a/fs/overlayfs/copy_up.c -+++ b/fs/overlayfs/copy_up.c -@@ -22,8 +22,8 @@ - - int ovl_copy_xattr(struct dentry *old, struct dentry *new) - { -- ssize_t list_size, size; -- char *buf, *name, *value; -+ ssize_t list_size, size, value_size = 0; -+ char *buf, *name, *value = NULL; - int error; - - if (!old->d_inode->i_op->getxattr || -@@ -41,23 +41,36 @@ int ovl_copy_xattr(struct dentry *old, struct dentry *new) - if (!buf) - return -ENOMEM; - -- error = -ENOMEM; -- value = kmalloc(XATTR_SIZE_MAX, GFP_KERNEL); -- if (!value) -- goto out; -- - list_size = vfs_listxattr(old, buf, list_size); - if (list_size <= 0) { - error = list_size; -- goto out_free_value; -+ goto out; - } - - for (name = buf; name < (buf + list_size); name += strlen(name) + 1) { -- size = vfs_getxattr(old, name, value, XATTR_SIZE_MAX); -+retry: -+ size = vfs_getxattr(old, name, value, value_size); -+ if (size == -ERANGE) { -+ size = vfs_getxattr(old, name, NULL, 0); -+ } -+ - if (size <= 0) { - error = size; - goto out_free_value; - } -+ -+ if (size > value_size) { -+ void *new; -+ new = krealloc(value, size, GFP_KERNEL); -+ if (!new) { -+ error = -ENOMEM; -+ goto out_free_value; -+ } -+ value = new; -+ value_size = size; -+ goto retry; -+ } -+ - error = security_inode_copy_up_xattr(old, new, - name, value, &size); - if (error < 0) --- -2.4.10 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0001-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0001-Add-secure_modules-call.patch similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0001-Add-secure_modules-call.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0001-Add-secure_modules-call.patch index 4b0b045bca..2580100d01 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0001-Add-secure_modules-call.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0001-Add-secure_modules-call.patch @@ -1,4 +1,4 @@ -From 2e10f053682b2614c8689ab7cd792030adb37c3d Mon Sep 17 00:00:00 2001 +From d4d385a22ccc111d15661600328527902c40739c Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 17:58:15 -0400 Subject: [PATCH 01/21] Add secure_modules() call @@ -41,10 +41,10 @@ index 3a19c79..db38634 100644 #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c -index 38c7bd5..a8f8c64 100644 +index 14833e6..88bd7ec 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4097,3 +4097,13 @@ void module_layout(struct module *mod, +@@ -4101,3 +4101,13 @@ void module_layout(struct module *mod, } EXPORT_SYMBOL(module_layout); #endif @@ -59,5 +59,5 @@ index 38c7bd5..a8f8c64 100644 +} +EXPORT_SYMBOL(secure_modules); -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch similarity index 97% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch index fb1b58ae38..8a0e7f1c0f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch @@ -1,4 +1,4 @@ -From 8161285fced6623edd4c66f9c2d3ece69014a392 Mon Sep 17 00:00:00 2001 +From 444f189f7e20976a2464a8dfd9619f716b7f523c Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:10:38 -0500 Subject: [PATCH 02/21] PCI: Lock down BAR access when module security is @@ -114,5 +114,5 @@ index b91c4da..98f5637 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch index 76e15443aa..0694bff73f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -1,4 +1,4 @@ -From f55838325eadbb393aaf61a61a177fd7ad2f0280 Mon Sep 17 00:00:00 2001 +From 2277563f06778502ded6abe65d843f2b60b3ce03 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:35:59 -0500 Subject: [PATCH 03/21] x86: Lock down IO port access when module security is @@ -68,5 +68,5 @@ index 6b1721f..53fe675 100644 return -EFAULT; while (count-- > 0 && i < 65536) { -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0004-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0004-ACPI-Limit-access-to-custom_method.patch similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0004-ACPI-Limit-access-to-custom_method.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0004-ACPI-Limit-access-to-custom_method.patch index 138ba0284d..11ebfc8999 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0004-ACPI-Limit-access-to-custom_method.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0004-ACPI-Limit-access-to-custom_method.patch @@ -1,4 +1,4 @@ -From 957b35947b86b16d1baadce8ec63db80bfb6466a Mon Sep 17 00:00:00 2001 +From b033a8984baef5309907d1bda6323063522a9e26 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:39:37 -0500 Subject: [PATCH 04/21] ACPI: Limit access to custom_method @@ -27,5 +27,5 @@ index c68e724..4277938 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch similarity index 95% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch index a4e35661fe..7893da78c6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch @@ -1,4 +1,4 @@ -From 86c4a0683e7310bad411a1834ce2b949d5bd4534 Mon Sep 17 00:00:00 2001 +From 0ead62ff1092f98ebba09c35a7877fa7cb8b84aa Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:46:50 -0500 Subject: [PATCH 05/21] asus-wmi: Restrict debugfs interface when module @@ -50,5 +50,5 @@ index f96f7b8..01af903 100644 1, asus->debug.method_id, &input, &output); -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch similarity index 94% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch index cfb9905c93..878a108e51 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -1,4 +1,4 @@ -From 03bc662b54a1a5978a2c840eba182b28e65f0c81 Mon Sep 17 00:00:00 2001 +From 78754044710d2afc46b910b3de24775ae6fdf0c5 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 09:28:15 -0500 Subject: [PATCH 06/21] Restrict /dev/mem and /dev/kmem when module loading is @@ -38,5 +38,5 @@ index 53fe675..b52c888 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch index 15f8709568..4cb34f34f4 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch @@ -1,4 +1,4 @@ -From 16d485311fc3079de4f5b986f2fc2f7d70274f8d Mon Sep 17 00:00:00 2001 +From c874298a9a0bf7d9041d6462c0225d17ad6e478d Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 25 Jun 2012 19:57:30 -0400 Subject: [PATCH 07/21] acpi: Ignore acpi_rsdp kernel parameter when module @@ -35,5 +35,5 @@ index 32d684a..f8570a0 100644 #endif -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch similarity index 94% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch index ddc70efe6e..ac06594025 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -1,4 +1,4 @@ -From 7d0d3cb705bb1ae5a739d0087e62844d3bec5e6f Mon Sep 17 00:00:00 2001 +From 4b0506ea0496f3fc847cdd7a6ef2966867d08f05 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 19 Nov 2015 18:55:53 -0800 Subject: [PATCH 08/21] kexec: Disable at runtime if the kernel enforces module @@ -35,5 +35,5 @@ index d873b64..3d09642 100644 /* -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch similarity index 94% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch index 302ef8aed1..f5e7a8b2f4 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch @@ -1,4 +1,4 @@ -From c682c72e808feb7c4dcb42ecaae7016c13ce5610 Mon Sep 17 00:00:00 2001 +From 5fe1e81ed7603157e00c8e333754225f5dcf8557 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 8 Feb 2013 11:12:13 -0800 Subject: [PATCH 09/21] x86: Restrict MSR access when module loading is @@ -40,5 +40,5 @@ index 113e707..26c2f83 100644 err = -EFAULT; break; -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0010-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0010-Add-option-to-automatically-enforce-module-signature.patch similarity index 97% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0010-Add-option-to-automatically-enforce-module-signature.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0010-Add-option-to-automatically-enforce-module-signature.patch index a1a54d8601..8b5c26aed3 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0010-Add-option-to-automatically-enforce-module-signature.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0010-Add-option-to-automatically-enforce-module-signature.patch @@ -1,4 +1,4 @@ -From abac45cbcaa27170eef195cb48c33a1b37071f2a Mon Sep 17 00:00:00 2001 +From 1a1dd3d6e85dc69e8eb5991dedf2c4030fb10366 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 18:36:30 -0400 Subject: [PATCH 10/21] Add option to automatically enforce module signatures @@ -164,10 +164,10 @@ index db38634..4b8df91 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index a8f8c64..3eb8c74 100644 +index 88bd7ec..e5117b67 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4098,6 +4098,13 @@ void module_layout(struct module *mod, +@@ -4102,6 +4102,13 @@ void module_layout(struct module *mod, EXPORT_SYMBOL(module_layout); #endif @@ -182,5 +182,5 @@ index a8f8c64..3eb8c74 100644 { #ifdef CONFIG_MODULE_SIG -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch similarity index 92% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch index dac46f1da2..a0d6ba2568 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch @@ -1,4 +1,4 @@ -From 76ba8b2fee84c6489316547f19d03a0485f59dc3 Mon Sep 17 00:00:00 2001 +From 47adb92861b5ed64dfb451c87df65e3190c84559 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:28:43 -0400 Subject: [PATCH 11/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI @@ -26,5 +26,5 @@ index 5578b6e..da9ae8a 100644 ---help--- UEFI Secure Boot provides a mechanism for ensuring that the -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0012-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch similarity index 94% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0012-efi-Add-EFI_SECURE_BOOT-bit.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch index f8bc39203a..3d3eafa0f5 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0012-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,4 +1,4 @@ -From 8d2a8d8ce61706a3a778ae9fd79cb5bab91a2817 Mon Sep 17 00:00:00 2001 +From f65b02e6559706984f60260fd7b56e62230c4a18 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:33:03 -0400 Subject: [PATCH 12/21] efi: Add EFI_SECURE_BOOT bit @@ -39,5 +39,5 @@ index 569b5a8..4dc970e 100644 #ifdef CONFIG_EFI /* -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0013-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0013-hibernate-Disable-in-a-signed-modules-environment.patch similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0013-hibernate-Disable-in-a-signed-modules-environment.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0013-hibernate-Disable-in-a-signed-modules-environment.patch index 49865abd27..563be5b067 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0013-hibernate-Disable-in-a-signed-modules-environment.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0013-hibernate-Disable-in-a-signed-modules-environment.patch @@ -1,4 +1,4 @@ -From b671df07aed28fcbc9e470b52b8c1822f78303c0 Mon Sep 17 00:00:00 2001 +From 6c9baf862507876196ad55c98604cc75fa4c1b3d Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 20 Jun 2014 08:53:24 -0400 Subject: [PATCH 13/21] hibernate: Disable in a signed modules environment @@ -35,5 +35,5 @@ index b7342a2..8a6b218 100644 /** -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch index a04d4791ef..001435be5f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch @@ -1,4 +1,4 @@ -From 9cb22840851be7a7f842229e6603a6b4b25e824d Mon Sep 17 00:00:00 2001 +From 2302270e90b6a78ce6a0de8ec5fa18072875b01d Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:31 +0100 Subject: [PATCH 14/21] Security: Provide copy-up security hooks for unioned @@ -136,5 +136,5 @@ index 46f405c..e33c5d5 100644 LIST_HEAD_INIT(security_hook_heads.file_permission), .file_alloc_security = -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0015-Overlayfs-Use-copy-up-security-hooks.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0015-Overlayfs-Use-copy-up-security-hooks.patch similarity index 76% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0015-Overlayfs-Use-copy-up-security-hooks.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0015-Overlayfs-Use-copy-up-security-hooks.patch index de95fefcad..1855eedb6f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0015-Overlayfs-Use-copy-up-security-hooks.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0015-Overlayfs-Use-copy-up-security-hooks.patch @@ -1,4 +1,4 @@ -From 64ef0efdd90f5aae4fae7c76783b09af53d29dfe Mon Sep 17 00:00:00 2001 +From b8b4027d3d1666411c8f323236fe8c8c3a454137 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:31 +0100 Subject: [PATCH 15/21] Overlayfs: Use copy-up security hooks @@ -13,25 +13,25 @@ Signed-off-by: David Howells 1 file changed, 12 insertions(+) diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c -index 0a89834..f59e1d8 100644 +index eff6319..e153e17 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c -@@ -58,6 +58,14 @@ int ovl_copy_xattr(struct dentry *old, struct dentry *new) - error = size; - goto out_free_value; +@@ -70,6 +70,14 @@ retry: + value_size = size; + goto retry; } + error = security_inode_copy_up_xattr(old, new, + name, value, &size); + if (error < 0) -+ goto out_free_value; ++ break; + if (error == 1) { + error = 0; + continue; /* Discard */ + } + error = vfs_setxattr(new, name, value, size, 0); if (error) - goto out_free_value; -@@ -222,6 +230,10 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir, +@@ -233,6 +241,10 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir, if (err) goto out2; @@ -43,5 +43,5 @@ index 0a89834..f59e1d8 100644 struct path upperpath; ovl_path_upper(dentry, &upperpath); -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0016-SELinux-Stub-in-copy-up-handling.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0016-SELinux-Stub-in-copy-up-handling.patch similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0016-SELinux-Stub-in-copy-up-handling.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0016-SELinux-Stub-in-copy-up-handling.patch index 0cd80b0a90..345a113e39 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0016-SELinux-Stub-in-copy-up-handling.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0016-SELinux-Stub-in-copy-up-handling.patch @@ -1,4 +1,4 @@ -From 38d19edb9bae02a9e78b26a7b2c4f0980ee13ee3 Mon Sep 17 00:00:00 2001 +From 98e460005ad53f5c92fc070a177bcb2f5daa8d7d Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:32 +0100 Subject: [PATCH 16/21] SELinux: Stub in copy-up handling @@ -51,5 +51,5 @@ index d0cfaa9..d062209 100644 LSM_HOOK_INIT(file_permission, selinux_file_permission), LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0017-SELinux-Handle-opening-of-a-unioned-file.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0017-SELinux-Handle-opening-of-a-unioned-file.patch similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0017-SELinux-Handle-opening-of-a-unioned-file.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0017-SELinux-Handle-opening-of-a-unioned-file.patch index 7157da106a..92d65ac2db 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0017-SELinux-Handle-opening-of-a-unioned-file.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0017-SELinux-Handle-opening-of-a-unioned-file.patch @@ -1,4 +1,4 @@ -From 3e6ccc54dd0383a8c57287f9e63f392595e28cb1 Mon Sep 17 00:00:00 2001 +From 3bdeb87a02c98c290c46aad2d16b1a70a28ee19e Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:32 +0100 Subject: [PATCH 17/21] SELinux: Handle opening of a unioned file @@ -129,5 +129,5 @@ index 81fa718..f088c08 100644 }; -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0018-SELinux-Check-against-union-label-for-file-operation.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0018-SELinux-Check-against-union-label-for-file-operation.patch similarity index 95% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0018-SELinux-Check-against-union-label-for-file-operation.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0018-SELinux-Check-against-union-label-for-file-operation.patch index c750a52305..105bebcdc4 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0018-SELinux-Check-against-union-label-for-file-operation.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0018-SELinux-Check-against-union-label-for-file-operation.patch @@ -1,4 +1,4 @@ -From 7b0a1257f4b4a35f087db9120b684d3a9c8181e5 Mon Sep 17 00:00:00 2001 +From 19c9589933e63e418736e12aeff9d4f5b08054e7 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 16 Jun 2015 14:14:32 +0100 Subject: [PATCH 18/21] SELinux: Check against union label for file operations @@ -46,5 +46,5 @@ index 5f0a11f..e33019e 100644 out: return rc; -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch similarity index 84% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch index 53d639f4bd..f2ae46b9cf 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0019-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch @@ -1,7 +1,7 @@ -From b0a4a60266e116f35e31a2054d9769f23dc88a95 Mon Sep 17 00:00:00 2001 +From 274bc65fa0a1185d50b45fe84a8647af63cdb6ee Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Wed, 25 Nov 2015 02:59:45 -0800 -Subject: [PATCH 20/21] kbuild: derive relative path for KBUILD_SRC from CURDIR +Subject: [PATCH 19/21] kbuild: derive relative path for KBUILD_SRC from CURDIR This enables relocating source and build trees to different roots, provided they stay reachable relative to one another. Useful for @@ -12,7 +12,7 @@ by some undesirable path component. 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index c6a265b..8125380 100644 +index 802be10..2d2f994 100644 --- a/Makefile +++ b/Makefile @@ -143,7 +143,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make @@ -26,5 +26,5 @@ index c6a265b..8125380 100644 # Leave processing to above invocation of make -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch index 4b4402ab8f..2a02e393fa 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0020-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch @@ -1,7 +1,7 @@ -From 196c562e9a0ef9a1580f35c014ee7f4669cfb5d7 Mon Sep 17 00:00:00 2001 +From 18b8e9f92afd62598d454e68138dda551ce7d381 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 22 Dec 2015 07:43:52 +0000 -Subject: [PATCH 21/21] Don't verify write permissions on lower inodes on +Subject: [PATCH 20/21] Don't verify write permissions on lower inodes on overlayfs If a user opens a file r/w on overlayfs, and if the underlying inode is @@ -19,10 +19,10 @@ the selinux permissions check if that flag is set. 3 files changed, 13 insertions(+) diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c -index 4060ffd..b6f02f2 100644 +index b29036a..545b856 100644 --- a/fs/overlayfs/inode.c +++ b/fs/overlayfs/inode.c -@@ -125,6 +125,9 @@ int ovl_permission(struct inode *inode, int mask) +@@ -138,6 +138,9 @@ int ovl_permission(struct inode *inode, int mask) goto out_dput; } @@ -65,5 +65,5 @@ index e33019e..48746ee 100644 /* No permission to check. Existence test. */ -- -2.4.10 +2.4.6 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch new file mode 100644 index 0000000000..2a7b961cbc --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/z0021-Fix-unallocated-memory-access-in-TPM-eventlog-code.patch @@ -0,0 +1,36 @@ +From 19dcc9bee719a81d3b2ed1386e76c9c2ae5a87c7 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Tue, 1 Mar 2016 15:00:15 -0800 +Subject: [PATCH 21/21] Fix unallocated memory access in TPM eventlog code + +COmmit 0cc698 added support for handling endian fixups in the event log code +but broke the binary log file in the process. Keep the endian code, but read +the event data from the actual event rather than from unallocated RAM. + +Signed-off-by: Matthew Garrett +Cc: stable@kernel.org +--- + drivers/char/tpm/tpm_eventlog.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c +index bd72fb0..e47092c 100644 +--- a/drivers/char/tpm/tpm_eventlog.c ++++ b/drivers/char/tpm/tpm_eventlog.c +@@ -244,7 +244,12 @@ static int tpm_binary_bios_measurements_show(struct seq_file *m, void *v) + + tempPtr = (char *)&temp_event; + +- for (i = 0; i < sizeof(struct tcpa_event) + temp_event.event_size; i++) ++ for (i = 0; i < sizeof(struct tcpa_event); i++) ++ seq_putc(m, tempPtr[i]); ++ ++ tempPtr = (char *)&event->event_data; ++ ++ for (i = 0; i < temp_event.event_size; i++) + seq_putc(m, tempPtr[i]); + + return 0; +-- +2.4.6 +