Merge pull request #2353 from crawford/kernel

sys-kernel/coreos-*: bump to 4.8.15

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.8

@@ -393,6 +393,8 @@ CONFIG_OPENVSWITCH=m
 CONFIG_VSOCKETS=m
 CONFIG_NETLINK_DIAG=m
 CONFIG_MPLS_ROUTING=m
+CONFIG_MPLS_IPTUNNEL=m
+CONFIG_LWTUNNEL=y
 CONFIG_CGROUP_NET_PRIO=y
 CONFIG_BPF_JIT=y
 # CONFIG_WIRELESS is not set
@@ -559,6 +561,7 @@ CONFIG_NATSEMI=m
 CONFIG_FORCEDETH=m
 # CONFIG_NET_VENDOR_OKI is not set
 # CONFIG_NET_PACKET_ENGINE is not set
+CONFIG_QLGE=m
 CONFIG_NETXEN_NIC=m
 # CONFIG_NET_VENDOR_QUALCOMM is not set
 CONFIG_8139CP=m

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest

@@ -1 +1,2 @@
-DIST linux-4.9.tar.xz 93192404 SHA256 029098dcffab74875e086ae970e3828456838da6e0ba22ce3f64ef764f3d7f1a SHA512 bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a WHIRLPOOL 072505b29972ad120eb25a074217847c9c2813416c4903e605a0433574f5f87616dbea0b1454e4b19acc48107f11274b682958b1d773373156e99f8163e6606a
+DIST linux-4.8.tar.xz 91966856 SHA256 3e9150065f193d3d94bcf46a1fe9f033c7ef7122ab71d75a7fb5a2f0c9a7e11a SHA512 a48a065f21e1c7c4de4cf8ca47b8b8d9a70f86b64e7cfa6e01be490f78895745b9c8790734b1d22182cf1f930fb87eaaa84e62ec8cc1f64ac4be9b949e7c0358 WHIRLPOOL 3888c8c07db0c069f827245d4d7306087f78f7d03e8240eb1fcd13622cd5dbe1c17cd8ed7dc11513f77f3efd5dbd84e2b48e82bdb9b9bfd2242fd62ae32812d5
+DIST patch-4.8.15.xz 268816 SHA256 cdeff3a6e0dc3d6189d1b1d4d6318f0942b9a28409491cf65592879e4c42b1f7 SHA512 d819c86f3fe93ee1d083fdce954ae06a683a22e8b0864da170714c5230c4c2fdecc29270194b1ad8a715b836b493141c8ff2c09e76a84426b7a89ebc31fb9e01 WHIRLPOOL 36ce7b4f47cb0f86991794f9e8df0160c8f38b1153d413082636f31edba2bcbbff2c5584062800b48c9471dbcb77f825f58d509f4641a9e48a1d396216860155

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.15.ebuild

@@ -0,0 +1,46 @@
+# Copyright 2014 CoreOS, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+ETYPE="sources"
+inherit kernel-2
+detect_version
+
+DESCRIPTION="Full sources for the CoreOS Linux kernel"
+HOMEPAGE="http://www.kernel.org"
+SRC_URI="${KERNEL_URI}"
+
+KEYWORDS="amd64 arm64"
+IUSE=""
+
+PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
+
+# XXX: Note we must prefix the patch filenames with "z" to ensure they are
+# applied _after_ a potential patch-${KV}.patch file, present when building a
+# patchlevel revision.  We mustn't apply our patches first, it fails when the
+# local patches overlap with the upstream patch.
+
+# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g'
+UNIPATCH_LIST="
+        ${PATCH_DIR}/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch \
+        ${PATCH_DIR}/z0002-selinux-Implementation-for-inode_copy_up-hook.patch \
+        ${PATCH_DIR}/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch \
+        ${PATCH_DIR}/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch \
+        ${PATCH_DIR}/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch \
+        ${PATCH_DIR}/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch \
+        ${PATCH_DIR}/z0007-selinux-Implement-dentry_create_files_as-hook.patch \
+        ${PATCH_DIR}/z0008-Add-secure_modules-call.patch \
+        ${PATCH_DIR}/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
+        ${PATCH_DIR}/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch \
+        ${PATCH_DIR}/z0011-ACPI-Limit-access-to-custom_method.patch \
+        ${PATCH_DIR}/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
+        ${PATCH_DIR}/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
+        ${PATCH_DIR}/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
+        ${PATCH_DIR}/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
+        ${PATCH_DIR}/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
+        ${PATCH_DIR}/z0017-Add-option-to-automatically-enforce-module-signature.patch \
+        ${PATCH_DIR}/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
+        ${PATCH_DIR}/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch \
+        ${PATCH_DIR}/z0020-hibernate-Disable-in-a-signed-modules-environment.patch \
+        ${PATCH_DIR}/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
+"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.9.0.ebuild

@@ -1,39 +0,0 @@
-# Copyright 2014 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="5"
-ETYPE="sources"
-inherit kernel-2
-detect_version
-
-DESCRIPTION="Full sources for the CoreOS Linux kernel"
-HOMEPAGE="http://www.kernel.org"
-SRC_URI="${KERNEL_URI}"
-
-KEYWORDS="amd64 arm64"
-IUSE=""
-
-PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
-
-# XXX: Note we must prefix the patch filenames with "z" to ensure they are
-# applied _after_ a potential patch-${KV}.patch file, present when building a
-# patchlevel revision.  We mustn't apply our patches first, it fails when the
-# local patches overlap with the upstream patch.
-
-# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g'
-UNIPATCH_LIST="
-        ${PATCH_DIR}/z0001-Add-secure_modules-call.patch \
-        ${PATCH_DIR}/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
-        ${PATCH_DIR}/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \
-        ${PATCH_DIR}/z0004-ACPI-Limit-access-to-custom_method.patch \
-        ${PATCH_DIR}/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
-        ${PATCH_DIR}/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
-        ${PATCH_DIR}/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
-        ${PATCH_DIR}/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
-        ${PATCH_DIR}/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
-        ${PATCH_DIR}/z0010-Add-option-to-automatically-enforce-module-signature.patch \
-        ${PATCH_DIR}/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
-        ${PATCH_DIR}/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch \
-        ${PATCH_DIR}/z0013-hibernate-Disable-in-a-signed-modules-environment.patch \
-        ${PATCH_DIR}/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
-"

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch

@@ -0,0 +1,148 @@
+From d11e6b12ab72ee6e20a68c57fc9bc15e43488157 Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 19 Jul 2016 14:34:57 -0400
+Subject: [PATCH 01/21] security, overlayfs: provide copy up security hook for
+ unioned files
+
+Provide a security hook to label new file correctly when a file is copied
+up from lower layer to upper layer of a overlay/union mount.
+
+This hook can prepare a new set of creds which are suitable for new file
+creation during copy up. Caller will use new creds to create file and then
+revert back to old creds and release new creds.
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ fs/overlayfs/copy_up.c    | 15 +++++++++++++++
+ include/linux/lsm_hooks.h | 11 +++++++++++
+ include/linux/security.h  |  6 ++++++
+ security/security.c       |  8 ++++++++
+ 4 files changed, 40 insertions(+)
+
+diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
+index 767377e..14a892b 100644
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -260,6 +260,8 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
+ 	struct dentry *upper = NULL;
+ 	umode_t mode = stat->mode;
+ 	int err;
++	const struct cred *old_creds = NULL;
++	struct cred *new_creds = NULL;
+ 
+ 	newdentry = ovl_lookup_temp(workdir, dentry);
+ 	err = PTR_ERR(newdentry);
+@@ -272,10 +274,23 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
+ 	if (IS_ERR(upper))
+ 		goto out1;
+ 
++	err = security_inode_copy_up(dentry, &new_creds);
++	if (err < 0)
++		goto out2;
++
++	if (new_creds)
++		old_creds = override_creds(new_creds);
++
+ 	/* Can't properly set mode on creation because of the umask */
+ 	stat->mode &= S_IFMT;
+ 	err = ovl_create_real(wdir, newdentry, stat, link, NULL, true);
+ 	stat->mode = mode;
++
++	if (new_creds) {
++		revert_creds(old_creds);
++		put_cred(new_creds);
++	}
++
+ 	if (err)
+ 		goto out2;
+ 
+diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
+index 101bf19..ba3c842 100644
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -401,6 +401,15 @@
+  *	@inode contains a pointer to the inode.
+  *	@secid contains a pointer to the location where result will be saved.
+  *	In case of failure, @secid will be set to zero.
++ * @inode_copy_up:
++ *	A file is about to be copied up from lower layer to upper layer of
++ *	overlay filesystem. Security module can prepare a set of new creds
++ *	and modify as need be and return new creds. Caller will switch to
++ *	new creds temporarily to create new file and release newly allocated
++ *	creds.
++ *	@src indicates the union dentry of file that is being copied up.
++ *	@new pointer to pointer to return newly allocated creds.
++ *	Returns 0 on success or a negative error code on error.
+  *
+  * Security hooks for file operations
+  *
+@@ -1425,6 +1434,7 @@ union security_list_options {
+ 	int (*inode_listsecurity)(struct inode *inode, char *buffer,
+ 					size_t buffer_size);
+ 	void (*inode_getsecid)(struct inode *inode, u32 *secid);
++	int (*inode_copy_up) (struct dentry *src, struct cred **new);
+ 
+ 	int (*file_permission)(struct file *file, int mask);
+ 	int (*file_alloc_security)(struct file *file);
+@@ -1696,6 +1706,7 @@ struct security_hook_heads {
+ 	struct list_head inode_setsecurity;
+ 	struct list_head inode_listsecurity;
+ 	struct list_head inode_getsecid;
++	struct list_head inode_copy_up;
+ 	struct list_head file_permission;
+ 	struct list_head file_alloc_security;
+ 	struct list_head file_free_security;
+diff --git a/include/linux/security.h b/include/linux/security.h
+index 7831cd5..c5b0ccd 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -282,6 +282,7 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf
+ int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
+ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
+ void security_inode_getsecid(struct inode *inode, u32 *secid);
++int security_inode_copy_up(struct dentry *src, struct cred **new);
+ int security_file_permission(struct file *file, int mask);
+ int security_file_alloc(struct file *file);
+ void security_file_free(struct file *file);
+@@ -758,6 +759,11 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
+ 	*secid = 0;
+ }
+ 
++static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
++{
++	return 0;
++}
++
+ static inline int security_file_permission(struct file *file, int mask)
+ {
+ 	return 0;
+diff --git a/security/security.c b/security/security.c
+index 4838e7f..f2a7f27 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -748,6 +748,12 @@ void security_inode_getsecid(struct inode *inode, u32 *secid)
+ 	call_void_hook(inode_getsecid, inode, secid);
+ }
+ 
++int security_inode_copy_up(struct dentry *src, struct cred **new)
++{
++	return call_int_hook(inode_copy_up, 0, src, new);
++}
++EXPORT_SYMBOL(security_inode_copy_up);
++
+ int security_file_permission(struct file *file, int mask)
+ {
+ 	int ret;
+@@ -1684,6 +1690,8 @@ struct security_hook_heads security_hook_heads = {
+ 		LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
+ 	.inode_getsecid =
+ 		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
++	.inode_copy_up =
++		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
+ 	.file_permission =
+ 		LIST_HEAD_INIT(security_hook_heads.file_permission),
+ 	.file_alloc_security =
+-- 
+2.10.2
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch

@@ -0,0 +1,62 @@
+From 1636c354fe9edec890d5f7abbb0b4c2de7a36b06 Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 19 Jul 2016 14:34:58 -0400
+Subject: [PATCH 02/21] selinux: Implementation for inode_copy_up() hook
+
+A file is being copied up for overlay file system. Prepare a new set of
+creds and set create_sid appropriately so that new file is created with
+appropriate label.
+
+Overlay inode has right label for both context and non-context mount
+cases. In case of non-context mount, overlay inode will have the label
+of lower file and in case of context mount, overlay inode will have
+the label from context= mount option.
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ security/selinux/hooks.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 13185a6..264ee90 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -3293,6 +3293,26 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
+ 	*secid = isec->sid;
+ }
+ 
++static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
++{
++	u32 sid;
++	struct task_security_struct *tsec;
++	struct cred *new_creds = *new;
++
++	if (new_creds == NULL) {
++		new_creds = prepare_creds();
++		if (!new_creds)
++			return -ENOMEM;
++	}
++
++	tsec = new_creds->security;
++	/* Get label from overlay inode and set it in create_sid */
++	selinux_inode_getsecid(d_inode(src), &sid);
++	tsec->create_sid = sid;
++	*new = new_creds;
++	return 0;
++}
++
+ /* file security operations */
+ 
+ static int selinux_revalidate_file_permission(struct file *file, int mask)
+@@ -6088,6 +6108,7 @@ static struct security_hook_list selinux_hooks[] = {
+ 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
+ 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
+ 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
++	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
+ 
+ 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
+ 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
+-- 
+2.10.2
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch

@@ -0,0 +1,129 @@
+From 5997ba3c8d8b5b09c78b61e6eb1df387861761bc Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 19 Jul 2016 14:34:58 -0400
+Subject: [PATCH 03/21] security,overlayfs: Provide security hook for copy up
+ of xattrs for overlay file
+
+Provide a security hook which is called when xattrs of a file are being
+copied up. This hook is called once for each xattr and LSM can return
+0 if the security module wants the xattr to be copied up, 1 if the
+security module wants the xattr to be discarded on the copy, -EOPNOTSUPP
+if the security module does not handle/manage the xattr, or a -errno
+upon an error.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ fs/overlayfs/copy_up.c    |  7 +++++++
+ include/linux/lsm_hooks.h | 10 ++++++++++
+ include/linux/security.h  |  6 ++++++
+ security/security.c       |  8 ++++++++
+ 4 files changed, 31 insertions(+)
+
+diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
+index 14a892b..8797c72 100644
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -115,6 +115,13 @@ retry:
+ 			goto retry;
+ 		}
+ 
++		error = security_inode_copy_up_xattr(name);
++		if (error < 0 && error != -EOPNOTSUPP)
++			break;
++		if (error == 1) {
++			error = 0;
++			continue; /* Discard */
++		}
+ 		error = vfs_setxattr(new, name, value, size, 0);
+ 		if (error)
+ 			break;
+diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
+index ba3c842..336b3fb 100644
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -410,6 +410,14 @@
+  *	@src indicates the union dentry of file that is being copied up.
+  *	@new pointer to pointer to return newly allocated creds.
+  *	Returns 0 on success or a negative error code on error.
++ * @inode_copy_up_xattr:
++ *	Filter the xattrs being copied up when a unioned file is copied
++ *	up from a lower layer to the union/overlay layer.
++ *	@name indicates the name of the xattr.
++ *	Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP if
++ *	security module does not know about attribute or a negative error code
++ *	to abort the copy up. Note that the caller is responsible for reading
++ *	and writing the xattrs as this hook is merely a filter.
+  *
+  * Security hooks for file operations
+  *
+@@ -1435,6 +1443,7 @@ union security_list_options {
+ 					size_t buffer_size);
+ 	void (*inode_getsecid)(struct inode *inode, u32 *secid);
+ 	int (*inode_copy_up) (struct dentry *src, struct cred **new);
++	int (*inode_copy_up_xattr) (const char *name);
+ 
+ 	int (*file_permission)(struct file *file, int mask);
+ 	int (*file_alloc_security)(struct file *file);
+@@ -1707,6 +1716,7 @@ struct security_hook_heads {
+ 	struct list_head inode_listsecurity;
+ 	struct list_head inode_getsecid;
+ 	struct list_head inode_copy_up;
++	struct list_head inode_copy_up_xattr;
+ 	struct list_head file_permission;
+ 	struct list_head file_alloc_security;
+ 	struct list_head file_free_security;
+diff --git a/include/linux/security.h b/include/linux/security.h
+index c5b0ccd..536fafd 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -283,6 +283,7 @@ int security_inode_setsecurity(struct inode *inode, const char *name, const void
+ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
+ void security_inode_getsecid(struct inode *inode, u32 *secid);
+ int security_inode_copy_up(struct dentry *src, struct cred **new);
++int security_inode_copy_up_xattr(const char *name);
+ int security_file_permission(struct file *file, int mask);
+ int security_file_alloc(struct file *file);
+ void security_file_free(struct file *file);
+@@ -764,6 +765,11 @@ static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
+ 	return 0;
+ }
+ 
++static inline int security_inode_copy_up_xattr(const char *name)
++{
++	return -EOPNOTSUPP;
++}
++
+ static inline int security_file_permission(struct file *file, int mask)
+ {
+ 	return 0;
+diff --git a/security/security.c b/security/security.c
+index f2a7f27..a9e2bb9 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -754,6 +754,12 @@ int security_inode_copy_up(struct dentry *src, struct cred **new)
+ }
+ EXPORT_SYMBOL(security_inode_copy_up);
+ 
++int security_inode_copy_up_xattr(const char *name)
++{
++	return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name);
++}
++EXPORT_SYMBOL(security_inode_copy_up_xattr);
++
+ int security_file_permission(struct file *file, int mask)
+ {
+ 	int ret;
+@@ -1692,6 +1698,8 @@ struct security_hook_heads security_hook_heads = {
+ 		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
+ 	.inode_copy_up =
+ 		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
++	.inode_copy_up_xattr =
++		LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),
+ 	.file_permission =
+ 		LIST_HEAD_INIT(security_hook_heads.file_permission),
+ 	.file_alloc_security =
+-- 
+2.10.2
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch

@@ -0,0 +1,53 @@
+From b56d9cfb9770c0e2e049061e3c979ea5983c8667 Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 19 Jul 2016 14:34:58 -0400
+Subject: [PATCH 04/21] selinux: Implementation for inode_copy_up_xattr() hook
+
+When a file is copied up in overlay, we have already created file on upper/
+with right label and there is no need to copy up selinux label/xattr from
+lower file to upper file. In fact in case of context mount, we don't want
+to copy up label as newly created file got its label from context= option.
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ security/selinux/hooks.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 264ee90..d30d7b3 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -3313,6 +3313,21 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
+ 	return 0;
+ }
+ 
++static int selinux_inode_copy_up_xattr(const char *name)
++{
++	/* The copy_up hook above sets the initial context on an inode, but we
++	 * don't then want to overwrite it by blindly copying all the lower
++	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
++	 */
++	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
++		return 1; /* Discard */
++	/*
++	 * Any other attribute apart from SELINUX is not claimed, supported
++	 * by selinux.
++	 */
++	return -EOPNOTSUPP;
++}
++
+ /* file security operations */
+ 
+ static int selinux_revalidate_file_permission(struct file *file, int mask)
+@@ -6109,6 +6124,7 @@ static struct security_hook_list selinux_hooks[] = {
+ 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
+ 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
+ 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
++	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
+ 
+ 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
+ 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
+-- 
+2.10.2
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch

@@ -0,0 +1,73 @@
+From ac403de65c7441aa3dfa73c733f9d21fe1bb6b5c Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 19 Jul 2016 14:34:59 -0400
+Subject: [PATCH 05/21] selinux: Pass security pointer to
+ determine_inode_label()
+
+Right now selinux_determine_inode_label() works on security pointer of
+current task. Soon I need this to work on a security pointer retrieved
+from a set of creds. So start passing in a pointer and caller can decide
+where to fetch security pointer from.
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ security/selinux/hooks.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index d30d7b3..2bf0d00 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -1808,13 +1808,13 @@ out:
+ /*
+  * Determine the label for an inode that might be unioned.
+  */
+-static int selinux_determine_inode_label(struct inode *dir,
+-					 const struct qstr *name,
+-					 u16 tclass,
+-					 u32 *_new_isid)
++static int
++selinux_determine_inode_label(const struct task_security_struct *tsec,
++				 struct inode *dir,
++				 const struct qstr *name, u16 tclass,
++				 u32 *_new_isid)
+ {
+ 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
+-	const struct task_security_struct *tsec = current_security();
+ 
+ 	if ((sbsec->flags & SE_SBINITIALIZED) &&
+ 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
+@@ -1857,8 +1857,8 @@ static int may_create(struct inode *dir,
+ 	if (rc)
+ 		return rc;
+ 
+-	rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
+-					   &newsid);
++	rc = selinux_determine_inode_label(current_security(), dir,
++					   &dentry->d_name, tclass, &newsid);
+ 	if (rc)
+ 		return rc;
+ 
+@@ -2838,7 +2838,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
+ 	u32 newsid;
+ 	int rc;
+ 
+-	rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
++	rc = selinux_determine_inode_label(current_security(),
++					   d_inode(dentry->d_parent), name,
+ 					   inode_mode_to_security_class(mode),
+ 					   &newsid);
+ 	if (rc)
+@@ -2863,7 +2864,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
+ 	sid = tsec->sid;
+ 	newsid = tsec->create_sid;
+ 
+-	rc = selinux_determine_inode_label(
++	rc = selinux_determine_inode_label(current_security(),
+ 		dir, qstr,
+ 		inode_mode_to_security_class(inode->i_mode),
+ 		&newsid);
+-- 
+2.10.2
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch

@@ -0,0 +1,159 @@
+From 1c6d33c0e52ee6ef3ed4ae8a453e39aa71d18583 Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 19 Jul 2016 14:34:59 -0400
+Subject: [PATCH 06/21] security, overlayfs: Provide hook to correctly label
+ newly created files
+
+During a new file creation we need to make sure new file is created with the
+right label. New file is created in upper/ so effectively file should get
+label as if task had created file in upper/.
+
+We switched to mounter's creds for actual file creation. Also if there is a
+whiteout present, then file will be created in work/ dir first and then
+renamed in upper. In none of the cases file will be labeled as we want it to
+be.
+
+This patch introduces a new hook dentry_create_files_as(), which determines
+the label/context dentry will get if it had been created by task in upper
+and modify passed set of creds appropriately. Caller makes use of these new
+creds for file creation.
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ fs/overlayfs/dir.c        | 10 ++++++++++
+ include/linux/lsm_hooks.h | 15 +++++++++++++++
+ include/linux/security.h  | 12 ++++++++++++
+ security/security.c       | 11 +++++++++++
+ 4 files changed, 48 insertions(+)
+
+diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
+index 74e6964..adfaa21 100644
+--- a/fs/overlayfs/dir.c
++++ b/fs/overlayfs/dir.c
+@@ -492,6 +492,15 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode,
+ 	if (override_cred) {
+ 		override_cred->fsuid = inode->i_uid;
+ 		override_cred->fsgid = inode->i_gid;
++		if (!hardlink) {
++			err = security_dentry_create_files_as(dentry,
++					stat->mode, &dentry->d_name, old_cred,
++					override_cred);
++			if (err) {
++				put_cred(override_cred);
++				goto out_revert_creds;
++			}
++		}
+ 		put_cred(override_creds(override_cred));
+ 		put_cred(override_cred);
+ 
+@@ -502,6 +511,7 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode,
+ 			err = ovl_create_over_whiteout(dentry, inode, stat,
+ 							link, hardlink);
+ 	}
++out_revert_creds:
+ 	revert_creds(old_cred);
+ 	if (!err) {
+ 		struct inode *realinode = d_inode(ovl_dentry_upper(dentry));
+diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
+index 336b3fb..55891c0 100644
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -151,6 +151,16 @@
+  *	@name name of the last path component used to create file
+  *	@ctx pointer to place the pointer to the resulting context in.
+  *	@ctxlen point to place the length of the resulting context.
++ * @dentry_create_files_as:
++ *	Compute a context for a dentry as the inode is not yet available
++ *	and set that context in passed in creds so that new files are
++ *	created using that context. Context is calculated using the
++ *	passed in creds and not the creds of the caller.
++ *	@dentry dentry to use in calculating the context.
++ *	@mode mode used to determine resource type.
++ *	@name name of the last path component used to create file
++ * 	@old creds which should be used for context calculation
++ * 	@new creds to modify
+  *
+  *
+  * Security hooks for inode operations.
+@@ -1375,6 +1385,10 @@ union security_list_options {
+ 	int (*dentry_init_security)(struct dentry *dentry, int mode,
+ 					const struct qstr *name, void **ctx,
+ 					u32 *ctxlen);
++	int (*dentry_create_files_as)(struct dentry *dentry, int mode,
++					struct qstr *name,
++					const struct cred *old,
++					struct cred *new);
+ 
+ 
+ #ifdef CONFIG_SECURITY_PATH
+@@ -1675,6 +1689,7 @@ struct security_hook_heads {
+ 	struct list_head sb_clone_mnt_opts;
+ 	struct list_head sb_parse_opts_str;
+ 	struct list_head dentry_init_security;
++	struct list_head dentry_create_files_as;
+ #ifdef CONFIG_SECURITY_PATH
+ 	struct list_head path_unlink;
+ 	struct list_head path_mkdir;
+diff --git a/include/linux/security.h b/include/linux/security.h
+index 536fafd..a6c6d5d 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -242,6 +242,10 @@ int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
+ int security_dentry_init_security(struct dentry *dentry, int mode,
+ 					const struct qstr *name, void **ctx,
+ 					u32 *ctxlen);
++int security_dentry_create_files_as(struct dentry *dentry, int mode,
++					struct qstr *name,
++					const struct cred *old,
++					struct cred *new);
+ 
+ int security_inode_alloc(struct inode *inode);
+ void security_inode_free(struct inode *inode);
+@@ -600,6 +604,14 @@ static inline int security_dentry_init_security(struct dentry *dentry,
+ 	return -EOPNOTSUPP;
+ }
+ 
++static inline int security_dentry_create_files_as(struct dentry *dentry,
++						  int mode, struct qstr *name,
++						  const struct cred *old,
++						  struct cred *new)
++{
++	return 0;
++}
++
+ 
+ static inline int security_inode_init_security(struct inode *inode,
+ 						struct inode *dir,
+diff --git a/security/security.c b/security/security.c
+index a9e2bb9..69614f1 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -364,6 +364,15 @@ int security_dentry_init_security(struct dentry *dentry, int mode,
+ }
+ EXPORT_SYMBOL(security_dentry_init_security);
+ 
++int security_dentry_create_files_as(struct dentry *dentry, int mode,
++					struct qstr *name,
++					const struct cred *old, struct cred *new)
++{
++	return call_int_hook(dentry_create_files_as, 0, dentry, mode,
++				name, old, new);
++}
++EXPORT_SYMBOL(security_dentry_create_files_as);
++
+ int security_inode_init_security(struct inode *inode, struct inode *dir,
+ 				 const struct qstr *qstr,
+ 				 const initxattrs initxattrs, void *fs_data)
+@@ -1635,6 +1644,8 @@ struct security_hook_heads security_hook_heads = {
+ 		LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str),
+ 	.dentry_init_security =
+ 		LIST_HEAD_INIT(security_hook_heads.dentry_init_security),
++	.dentry_create_files_as =
++		LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as),
+ #ifdef CONFIG_SECURITY_PATH
+ 	.path_unlink =	LIST_HEAD_INIT(security_hook_heads.path_unlink),
+ 	.path_mkdir =	LIST_HEAD_INIT(security_hook_heads.path_mkdir),
+-- 
+2.10.2
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch

@@ -0,0 +1,60 @@
+From 0dc3b4757e8d178699bdced13db4344f25d6ae91 Mon Sep 17 00:00:00 2001
+From: Vivek Goyal <vgoyal@redhat.com>
+Date: Tue, 19 Jul 2016 14:34:59 -0400
+Subject: [PATCH 07/21] selinux: Implement dentry_create_files_as() hook
+
+Calculate what would be the label of newly created file and set that secid
+in the passed creds.
+
+Context of the task which is actually creating file is retrieved from
+set of creds passed in. (old->security).
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ security/selinux/hooks.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 2bf0d00..603b600 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -2848,6 +2848,27 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
+ 	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
+ }
+ 
++static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
++					  struct qstr *name,
++					  const struct cred *old,
++					  struct cred *new)
++{
++	u32 newsid;
++	int rc;
++	struct task_security_struct *tsec;
++
++	rc = selinux_determine_inode_label(old->security,
++					   d_inode(dentry->d_parent), name,
++					   inode_mode_to_security_class(mode),
++					   &newsid);
++	if (rc)
++		return rc;
++
++	tsec = new->security;
++	tsec->create_sid = newsid;
++	return 0;
++}
++
+ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
+ 				       const struct qstr *qstr,
+ 				       const char **name,
+@@ -6098,6 +6119,7 @@ static struct security_hook_list selinux_hooks[] = {
+ 	LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
+ 
+ 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
++	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
+ 
+ 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
+ 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
+-- 
+2.10.2
+

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch

@@ -1,7 +1,7 @@
-From 4854c16b274a6bf1ce79f0479ce4d9514914caa4 Mon Sep 17 00:00:00 2001
+From 4d5d28f5cf718a264334717d2078057a81e20d31 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 17:58:15 -0400
-Subject: [PATCH 01/14] Add secure_modules() call
+Subject: [PATCH 08/21] Add secure_modules() call
 
 Provide a single call to allow kernel code to determine whether the system
 has been configured to either disable module loading entirely or to load
@@ -41,10 +41,10 @@ index 0c3207d..c8b4ea0 100644
  
  #ifdef CONFIG_SYSFS
 diff --git a/kernel/module.c b/kernel/module.c
-index 0e54d5b..085b720 100644
+index 529efae..0332fdd 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4285,3 +4285,13 @@ void module_layout(struct module *mod,
+@@ -4279,3 +4279,13 @@ void module_layout(struct module *mod,
  }
  EXPORT_SYMBOL(module_layout);
  #endif
@@ -59,5 +59,5 @@ index 0e54d5b..085b720 100644
 +}
 +EXPORT_SYMBOL(secure_modules);
 -- 
-2.7.3
+2.10.2
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch

@@ -1,7 +1,7 @@
-From 98083458fbf75ab8d78f62d0b5b6d83f49b1e09a Mon Sep 17 00:00:00 2001
+From 386785a5e9165fda60acc91e2a1b5ebe3f36aaa5 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:10:38 -0500
-Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is
+Subject: [PATCH 09/21] PCI: Lock down BAR access when module security is
  enabled
 
 Any hardware that can potentially generate DMA has to be locked down from
@@ -114,5 +114,5 @@ index b91c4da..98f5637 100644
  
  	dev = pci_get_bus_and_slot(bus, dfn);
 -- 
-2.7.3
+2.10.2
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch

@@ -1,7 +1,7 @@
-From aa4e5d19b6907f481858501b75b05a6d2898d270 Mon Sep 17 00:00:00 2001
+From fcf2ade3fef45be5eabaeaf76a7eccd42be9410f Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:35:59 -0500
-Subject: [PATCH 03/14] x86: Lock down IO port access when module security is
+Subject: [PATCH 10/21] x86: Lock down IO port access when module security is
  enabled
 
 IO port access would permit users to gain access to PCI configuration
@@ -46,7 +46,7 @@ index 589b319..ab83724 100644
  	}
  	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 5bb1985..7f1a7ab 100644
+index a33163d..48a2897 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -28,6 +28,7 @@
@@ -57,7 +57,7 @@ index 5bb1985..7f1a7ab 100644
  
  #include <linux/uaccess.h>
  
-@@ -580,6 +581,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
+@@ -574,6 +575,9 @@ static ssize_t write_port(struct file *file, const char __user *buf,
  	unsigned long i = *ppos;
  	const char __user *tmp = buf;
  
@@ -68,5 +68,5 @@ index 5bb1985..7f1a7ab 100644
  		return -EFAULT;
  	while (count-- > 0 && i < 65536) {
 -- 
-2.7.3
+2.10.2
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch

@@ -1,7 +1,7 @@
-From fc270da17651b116b0d4ce1998f5cfad25d48eae Mon Sep 17 00:00:00 2001
+From 8ea1fcb7288fd735600383d1548b3bad48fd57e4 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:39:37 -0500
-Subject: [PATCH 04/14] ACPI: Limit access to custom_method
+Subject: [PATCH 11/21] ACPI: Limit access to custom_method
 
 custom_method effectively allows arbitrary access to system memory, making
 it possible for an attacker to circumvent restrictions on module loading.
@@ -27,5 +27,5 @@ index c68e724..4277938 100644
  		/* parse the table header to get the table length */
  		if (count <= sizeof(struct acpi_table_header))
 -- 
-2.7.3
+2.10.2
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch

@@ -1,7 +1,7 @@
-From c4fe9ea847f1fbd9ecabc5ec8f87020bea65d741 Mon Sep 17 00:00:00 2001
+From 30a3b4dd7d179236e982c1dd9efab6fe321f65b7 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:46:50 -0500
-Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module
+Subject: [PATCH 12/21] asus-wmi: Restrict debugfs interface when module
  loading is restricted
 
 We have no way of validating what all of the Asus WMI methods do on a
@@ -16,7 +16,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  1 file changed, 9 insertions(+)
 
 diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
-index ce6ca31..55d2399 100644
+index 7c093a0..21fd6b8 100644
 --- a/drivers/platform/x86/asus-wmi.c
 +++ b/drivers/platform/x86/asus-wmi.c
 @@ -1872,6 +1872,9 @@ static int show_dsts(struct seq_file *m, void *data)
@@ -50,5 +50,5 @@ index ce6ca31..55d2399 100644
  				     1, asus->debug.method_id,
  				     &input, &output);
 -- 
-2.7.3
+2.10.2
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch

@@ -1,7 +1,7 @@
-From 6be6524270a0f131a8293f5d4008a364d4a5462f Mon Sep 17 00:00:00 2001
+From efef5e7bcb83c4103155ab6bfd0c75afb9c87cbc Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 09:28:15 -0500
-Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is
+Subject: [PATCH 13/21] Restrict /dev/mem and /dev/kmem when module loading is
  restricted
 
 Allowing users to write to address space makes it possible for the kernel
@@ -14,7 +14,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
  1 file changed, 6 insertions(+)
 
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index 7f1a7ab..d6a6f05 100644
+index 48a2897..08a7bff 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
 @@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf,
@@ -27,9 +27,9 @@ index 7f1a7ab..d6a6f05 100644
  	if (!valid_phys_addr_range(p, count))
  		return -EFAULT;
  
-@@ -516,6 +519,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
- 	if (!pfn_valid(PFN_DOWN(p)))
- 		return -EIO;
+@@ -510,6 +513,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf,
+ 	char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
+ 	int err = 0;
  
 +	if (secure_modules())
 +		return -EPERM;
@@ -38,5 +38,5 @@ index 7f1a7ab..d6a6f05 100644
  		unsigned long to_write = min_t(unsigned long, count,
  					       (unsigned long)high_memory - p);
 -- 
-2.7.3
+2.10.2
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch

@@ -1,7 +1,7 @@
-From 1b626fb49ffd2fd4c8b962ce80b4f87164f8f5f6 Mon Sep 17 00:00:00 2001
+From 177ac262dbddf8af35b815a36e466fabae8e282b Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Mon, 25 Jun 2012 19:57:30 -0400
-Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module
+Subject: [PATCH 14/21] acpi: Ignore acpi_rsdp kernel parameter when module
  loading is restricted
 
 This option allows userspace to pass the RSDP address to the kernel, which
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 416953a..4887e34 100644
+index 4305ee9..fa1bcf0 100644
 --- a/drivers/acpi/osl.c
 +++ b/drivers/acpi/osl.c
 @@ -40,6 +40,7 @@
@@ -25,7 +25,7 @@ index 416953a..4887e34 100644
  
  #include <asm/io.h>
  #include <asm/uaccess.h>
-@@ -191,7 +192,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
+@@ -184,7 +185,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
  acpi_physical_address __init acpi_os_get_root_pointer(void)
  {
  #ifdef CONFIG_KEXEC
@@ -35,5 +35,5 @@ index 416953a..4887e34 100644
  #endif
  
 -- 
-2.7.3
+2.10.2
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch

@@ -1,7 +1,7 @@
-From 2ccbff3b3a81d8e16771a065d594e3a7acc2ef23 Mon Sep 17 00:00:00 2001
+From 48b5a959e24ff9355c1eff83500e8da6b90fe209 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Thu, 19 Nov 2015 18:55:53 -0800
-Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module
+Subject: [PATCH 15/21] kexec: Disable at runtime if the kernel enforces module
  loading restrictions
 
 kexec permits the loading and execution of arbitrary code in ring 0, which
@@ -35,5 +35,5 @@ index 980936a..a0e4cb3 100644
  
  	/*
 -- 
-2.7.3
+2.10.2
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch

@@ -1,7 +1,7 @@
-From e6dca416cd3110c0029845d0fa20980f4e0c89a6 Mon Sep 17 00:00:00 2001
+From a301f23e8243dca15d24c868c95249390cb8f584 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 8 Feb 2013 11:12:13 -0800
-Subject: [PATCH 09/14] x86: Restrict MSR access when module loading is
+Subject: [PATCH 16/21] x86: Restrict MSR access when module loading is
  restricted
 
 Writing to MSRs should not be allowed if module loading is restricted,
@@ -40,5 +40,5 @@ index 7f3550a..963ba40 100644
  			err = -EFAULT;
  			break;
 -- 
-2.7.3
+2.10.2
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch

@@ -1,7 +1,7 @@
-From dd587db145416e321874fb8a222dbd6766321c0f Mon Sep 17 00:00:00 2001
+From 03115eb920c605c2307884dfbda90755ddddc435 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH 10/14] Add option to automatically enforce module signatures
+Subject: [PATCH 17/21] Add option to automatically enforce module signatures
  when in Secure Boot mode
 
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will
@@ -34,10 +34,10 @@ index 95a4d34..b8527c6 100644
  290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
  2D0/A00	ALL	e820_map	E820 memory map table
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index bada636..882da2b 100644
+index 2a1f0ce..ba2c734 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1786,6 +1786,16 @@ config EFI_MIXED
+@@ -1774,6 +1774,16 @@ config EFI_MIXED
  
  	   If unsure, say N.
  
@@ -55,7 +55,7 @@ index bada636..882da2b 100644
  	def_bool y
  	prompt "Enable seccomp to safely compute untrusted bytecode"
 diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
-index cc69e37..17b3765 100644
+index 94dd4a3..1959b82 100644
 --- a/arch/x86/boot/compressed/eboot.c
 +++ b/arch/x86/boot/compressed/eboot.c
 @@ -12,6 +12,7 @@
@@ -66,7 +66,7 @@ index cc69e37..17b3765 100644
  
  #include "../string.h"
  #include "eboot.h"
-@@ -537,6 +538,36 @@ static void setup_efi_pci(struct boot_params *params)
+@@ -571,6 +572,36 @@ free_handle:
  	efi_call_early(free_pool, pci_handle);
  }
  
@@ -103,7 +103,7 @@ index cc69e37..17b3765 100644
  static efi_status_t
  setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height)
  {
-@@ -1094,6 +1125,10 @@ struct boot_params *efi_main(struct efi_config *c,
+@@ -1128,6 +1159,10 @@ struct boot_params *efi_main(struct efi_config *c,
  	else
  		setup_boot_services32(efi_early);
  
@@ -129,7 +129,7 @@ index c18ce67..2b3e542 100644
  	 * The sentinel is set to a nonzero value (0xff) in header.S.
  	 *
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 9c337b0..f7f369b 100644
+index d5219b1..d635886 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
 @@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p)
@@ -163,10 +163,10 @@ index c8b4ea0..8918ef4 100644
  
  extern int modules_disabled; /* for sysctl */
 diff --git a/kernel/module.c b/kernel/module.c
-index 085b720..e0c6216 100644
+index 0332fdd..3f1ea6b 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -4286,6 +4286,13 @@ void module_layout(struct module *mod,
+@@ -4280,6 +4280,13 @@ void module_layout(struct module *mod,
  EXPORT_SYMBOL(module_layout);
  #endif
  
@@ -181,5 +181,5 @@ index 085b720..e0c6216 100644
  {
  #ifdef CONFIG_MODULE_SIG
 -- 
-2.7.3
+2.10.2
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch

@@ -1,7 +1,7 @@
-From 0f2a255cf654f8190b7afe64c691d33a01bb8d42 Mon Sep 17 00:00:00 2001
+From 3e2d384de2f01d665130e782d3aad795da426ea6 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:28:43 -0400
-Subject: [PATCH 11/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
+Subject: [PATCH 18/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
 
 The functionality of the config option is dependent upon the platform being
 UEFI based.  Reflect this in the config deps.
@@ -12,10 +12,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 882da2b..d666ef8b 100644
+index ba2c734..a5d6b58 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1787,7 +1787,8 @@ config EFI_MIXED
+@@ -1775,7 +1775,8 @@ config EFI_MIXED
  	   If unsure, say N.
  
  config EFI_SECURE_BOOT_SIG_ENFORCE
@@ -26,5 +26,5 @@ index 882da2b..d666ef8b 100644
  	---help---
  	  UEFI Secure Boot provides a mechanism for ensuring that the
 -- 
-2.7.3
+2.10.2
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch

@@ -1,7 +1,7 @@
-From 4de054ccaffe8b6d6fe584ce3410185f7b96f214 Mon Sep 17 00:00:00 2001
+From 1c1054b69bddc281c51c1095482998ad88e32728 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH 12/14] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 19/21] efi: Add EFI_SECURE_BOOT bit
 
 UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
 for use with efi_enabled.
@@ -13,7 +13,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  2 files changed, 3 insertions(+)
 
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index f7f369b..60dccc2 100644
+index d635886..5824ae5 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
 @@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p)
@@ -27,10 +27,10 @@ index f7f369b..60dccc2 100644
  #endif
  
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 2d08948..6902c59 100644
+index 0148a30..4b62b48 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -1043,6 +1043,7 @@ extern int __init efi_setup_pcdp_console(char *);
+@@ -1012,6 +1012,7 @@ extern int __init efi_setup_pcdp_console(char *);
  #define EFI_ARCH_1		7	/* First arch-specific bit */
  #define EFI_DBG			8	/* Print additional debug info at runtime */
  #define EFI_NX_PE_DATA		9	/* Can runtime data regions be mapped non-executable? */
@@ -39,5 +39,5 @@ index 2d08948..6902c59 100644
  #ifdef CONFIG_EFI
  /*
 -- 
-2.7.3
+2.10.2
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch

@@ -1,7 +1,7 @@
-From 41b5e0b849955e5eecb90e4f791d725008c97931 Mon Sep 17 00:00:00 2001
+From 5b4d1673d29bb51a85244d02c0310ac0b3670ad6 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [PATCH 13/14] hibernate: Disable in a signed modules environment
+Subject: [PATCH 20/21] hibernate: Disable in a signed modules environment
 
 There is currently no way to verify the resume image when returning
 from hibernate.  This might compromise the signed modules trust model,
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index b26dbc4..ab187ad 100644
+index 33c79b6..d1420be 100644
 --- a/kernel/power/hibernate.c
 +++ b/kernel/power/hibernate.c
 @@ -29,6 +29,7 @@
@@ -35,5 +35,5 @@ index b26dbc4..ab187ad 100644
  
  /**
 -- 
-2.7.3
+2.10.2
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch

@@ -1,7 +1,7 @@
-From c40c198ae4798b15647dc55ce71ba28e7eba108a Mon Sep 17 00:00:00 2001
+From 624e36cc7632f8faca23e186c80a8e174706c3f5 Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 14/14] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 21/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
@@ -12,7 +12,7 @@ by some undesirable path component.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index b103777..7824269 100644
+index c7f0e79..9635349 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -147,7 +147,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
@@ -26,5 +26,5 @@ index b103777..7824269 100644
  
  # Leave processing to above invocation of make
 -- 
-2.7.3
+2.10.2