mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-23 23:41:10 +02:00
Merge pull request #2100 from crawford/linux
sys-kernel/coreos-*: bump to linux 4.7
This commit is contained in:
Alex Crawford
GitHub
commit
d5679d4121
@ -687,7 +687,6 @@ CONFIG_MOUSE_PS2=m
|
||||
# CONFIG_MOUSE_PS2_FOCALTECH is not set
|
||||
CONFIG_INPUT_MISC=y
|
||||
# CONFIG_SERIO_SERPORT is not set
|
||||
CONFIG_DEVPTS_MULTIPLE_INSTANCES=y
|
||||
# CONFIG_LEGACY_PTYS is not set
|
||||
# CONFIG_DEVKMEM is not set
|
||||
CONFIG_SERIAL_8250=y
|
||||
@ -222,7 +222,6 @@ CONFIG_RTL8192CE=m
|
||||
CONFIG_INPUT_EVDEV=y
|
||||
# CONFIG_SERIO_SERPORT is not set
|
||||
CONFIG_SERIO_AMBAKMI=y
|
||||
CONFIG_DEVPTS_MULTIPLE_INSTANCES=y
|
||||
CONFIG_LEGACY_PTY_COUNT=16
|
||||
CONFIG_SERIAL_8250=y
|
||||
CONFIG_SERIAL_8250_CONSOLE=y
|
||||
@ -338,7 +337,6 @@ CONFIG_SCHEDSTATS=y
|
||||
# CONFIG_DEBUG_PREEMPT is not set
|
||||
CONFIG_DEBUG_CREDENTIALS=y
|
||||
# CONFIG_FTRACE is not set
|
||||
CONFIG_DEBUG_SET_MODULE_RONX=y
|
||||
CONFIG_SECURITY=y
|
||||
CONFIG_CRYPTO_ANSI_CPRNG=y
|
||||
CONFIG_MODULE_SIG_KEY="certs/modules.pem"
|
||||
@ -1,2 +1 @@
|
||||
DIST linux-4.6.tar.xz 89461728 SHA256 a93771cd5a8ad27798f22e9240538dfea48d3a2bf2a6a6ab415de3f02d25d866 SHA512 df5ee40b0ebd89914a900f63c32a481cb4f405d8f792b2d03ea167ce9c5bdf75154c7bd8ecd7ebac77a8dbf2b077c972cbfe6b95163e27c38c1fefc6ddbdfa0b WHIRLPOOL 50ee28a06930ffb29ade1aa5fb4e3bf165ead92cb660dc6771a265cdbc2240713ebf14fe235fa153d8b6e3ab853852ea06c2525209cd7989aa3d6f6fad5b7edf
|
||||
DIST patch-4.6.4.xz 111624 SHA256 f500a3b841c41420914938d681e258c712fbbd7ebec5fe70f0abc071a1738e47 SHA512 8288af19d5e81e891049a6450224ce0707dc729dadab4802af93ce57e2fb6d400b64dde601ece482ec4db72176837eaa52bbca7ebd7e53191253ff05a7d4fe91 WHIRLPOOL 90b64398a96803899203e638d00bb0e23be1ab859107104f7b670e9af38af543f053442d3424aeb45e1d1fac6cf8e8d5dd0c93b62f55e545c0a856a18631a455
|
||||
DIST linux-4.7.tar.xz 90412100 SHA256 5190c3d1209aeda04168145bf50569dc0984f80467159b1dc50ad731e3285f10 SHA512 e8c02583e17e4fc4214fef694825fcb78c898266f1624deb1cdf56ab5c5fdfa669c5221122a7cf0d502ed6f921ff3797634acd9d294d29e98e3faa8a21920185 WHIRLPOOL e968c89ce714c8d918db6074dabac4b0200c57ff111260313cf5798eeefb8b5b10c1509b64e2ee611a78e81075c588a473b67f9802609b2fef9ebb87ae514d98
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From c35230624d1464523272de88a5085cd808e2eb97 Mon Sep 17 00:00:00 2001
|
||||
From 56c7486c654e67683c23e8769351898dc650f890 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 17:58:15 -0400
|
||||
Subject: [PATCH 01/20] Add secure_modules() call
|
||||
@ -17,19 +17,19 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
2 files changed, 16 insertions(+)
|
||||
|
||||
diff --git a/include/linux/module.h b/include/linux/module.h
|
||||
index 2bb0c30..ab13009 100644
|
||||
index 3daf2b3..15843fc 100644
|
||||
--- a/include/linux/module.h
|
||||
+++ b/include/linux/module.h
|
||||
@@ -630,6 +630,8 @@ static inline bool module_requested_async_probing(struct module *module)
|
||||
@@ -643,6 +643,8 @@ static inline bool module_requested_async_probing(struct module *module)
|
||||
return module && module->async_probe_requested;
|
||||
}
|
||||
|
||||
+extern bool secure_modules(void);
|
||||
+
|
||||
#else /* !CONFIG_MODULES... */
|
||||
|
||||
/* Given an address, look for it in the exception tables. */
|
||||
@@ -746,6 +748,10 @@ static inline bool module_requested_async_probing(struct module *module)
|
||||
#ifdef CONFIG_LIVEPATCH
|
||||
static inline bool is_livepatch_module(struct module *mod)
|
||||
{
|
||||
@@ -771,6 +773,10 @@ static inline bool module_requested_async_probing(struct module *module)
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -41,10 +41,10 @@ index 2bb0c30..ab13009 100644
|
||||
|
||||
#ifdef CONFIG_SYSFS
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index 041200c..392ac8c 100644
|
||||
index 5f71aa6..3c38496 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -4080,3 +4080,13 @@ void module_layout(struct module *mod,
|
||||
@@ -4199,3 +4199,13 @@ void module_layout(struct module *mod,
|
||||
}
|
||||
EXPORT_SYMBOL(module_layout);
|
||||
#endif
|
||||
@ -59,5 +59,5 @@ index 041200c..392ac8c 100644
|
||||
+}
|
||||
+EXPORT_SYMBOL(secure_modules);
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From de2acb86b00352b3e58c55aa5474970bd52640a5 Mon Sep 17 00:00:00 2001
|
||||
From a092193db748a914f777fc4426322d085f6447ba Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Thu, 8 Mar 2012 10:10:38 -0500
|
||||
Subject: [PATCH 02/20] PCI: Lock down BAR access when module security is
|
||||
@ -18,7 +18,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
3 files changed, 19 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
|
||||
index 342b691..2809631 100644
|
||||
index d319a9c..6b1884d 100644
|
||||
--- a/drivers/pci/pci-sysfs.c
|
||||
+++ b/drivers/pci/pci-sysfs.c
|
||||
@@ -30,6 +30,7 @@
|
||||
@ -49,7 +49,7 @@ index 342b691..2809631 100644
|
||||
for (i = 0; i < PCI_ROM_RESOURCE; i++)
|
||||
if (res == &pdev->resource[i])
|
||||
break;
|
||||
@@ -1102,6 +1109,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
|
||||
@@ -1101,6 +1108,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
|
||||
struct bin_attribute *attr, char *buf,
|
||||
loff_t off, size_t count)
|
||||
{
|
||||
@ -114,5 +114,5 @@ index b91c4da..98f5637 100644
|
||||
|
||||
dev = pci_get_bus_and_slot(bus, dfn);
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 9822e9d4cc1c380146f6b7b0984a9f03c2d5ee30 Mon Sep 17 00:00:00 2001
|
||||
From 665de4d1fe2819dff85c1ae2bb5de77d2dfaf3d5 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Thu, 8 Mar 2012 10:35:59 -0500
|
||||
Subject: [PATCH 03/20] x86: Lock down IO port access when module security is
|
||||
@ -68,5 +68,5 @@ index 71025c2..86e5bfa 100644
|
||||
return -EFAULT;
|
||||
while (count-- > 0 && i < 65536) {
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From b2f6e6b53381d5213e128e1266d1a4728bcb1e7f Mon Sep 17 00:00:00 2001
|
||||
From ec9e1e7e77567c9a02fe912d77c4ad0b861d35a0 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 08:39:37 -0500
|
||||
Subject: [PATCH 04/20] ACPI: Limit access to custom_method
|
||||
@ -27,5 +27,5 @@ index c68e724..4277938 100644
|
||||
/* parse the table header to get the table length */
|
||||
if (count <= sizeof(struct acpi_table_header))
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From e84e314c9dbc752726045c29a7464a6b6910dd1f Mon Sep 17 00:00:00 2001
|
||||
From 25b3c5a56a2f963a6b92be5256eb7d9a118e1ec4 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 08:46:50 -0500
|
||||
Subject: [PATCH 05/20] asus-wmi: Restrict debugfs interface when module
|
||||
@ -16,10 +16,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
|
||||
index a96630d..92bf6b1 100644
|
||||
index a26dca3..6ec9cab 100644
|
||||
--- a/drivers/platform/x86/asus-wmi.c
|
||||
+++ b/drivers/platform/x86/asus-wmi.c
|
||||
@@ -1867,6 +1867,9 @@ static int show_dsts(struct seq_file *m, void *data)
|
||||
@@ -1872,6 +1872,9 @@ static int show_dsts(struct seq_file *m, void *data)
|
||||
int err;
|
||||
u32 retval = -1;
|
||||
|
||||
@ -29,7 +29,7 @@ index a96630d..92bf6b1 100644
|
||||
err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
|
||||
|
||||
if (err < 0)
|
||||
@@ -1883,6 +1886,9 @@ static int show_devs(struct seq_file *m, void *data)
|
||||
@@ -1888,6 +1891,9 @@ static int show_devs(struct seq_file *m, void *data)
|
||||
int err;
|
||||
u32 retval = -1;
|
||||
|
||||
@ -39,7 +39,7 @@ index a96630d..92bf6b1 100644
|
||||
err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
|
||||
&retval);
|
||||
|
||||
@@ -1907,6 +1913,9 @@ static int show_call(struct seq_file *m, void *data)
|
||||
@@ -1912,6 +1918,9 @@ static int show_call(struct seq_file *m, void *data)
|
||||
union acpi_object *obj;
|
||||
acpi_status status;
|
||||
|
||||
@ -50,5 +50,5 @@ index a96630d..92bf6b1 100644
|
||||
1, asus->debug.method_id,
|
||||
&input, &output);
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 75bf36f24bd1efeadb16130281207f488e38ad51 Mon Sep 17 00:00:00 2001
|
||||
From 30af3497cb4e5af8e602674738c2eb8cd79936e9 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 09:28:15 -0500
|
||||
Subject: [PATCH 06/20] Restrict /dev/mem and /dev/kmem when module loading is
|
||||
@ -38,5 +38,5 @@ index 86e5bfa..3264735 100644
|
||||
unsigned long to_write = min_t(unsigned long, count,
|
||||
(unsigned long)high_memory - p);
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 301e69031df178a811ddb0745ed910518c36fbbe Mon Sep 17 00:00:00 2001
|
||||
From 5fc15323a692410e72e7b7fdafa2a71a7420b8d0 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@redhat.com>
|
||||
Date: Mon, 25 Jun 2012 19:57:30 -0400
|
||||
Subject: [PATCH 07/20] acpi: Ignore acpi_rsdp kernel parameter when module
|
||||
@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
|
||||
index 814d5f8..84ca0b5 100644
|
||||
index b108f13..158de7d 100644
|
||||
--- a/drivers/acpi/osl.c
|
||||
+++ b/drivers/acpi/osl.c
|
||||
@@ -40,6 +40,7 @@
|
||||
@ -25,7 +25,7 @@ index 814d5f8..84ca0b5 100644
|
||||
|
||||
#include <asm/io.h>
|
||||
#include <asm/uaccess.h>
|
||||
@@ -254,7 +255,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
|
||||
@@ -184,7 +185,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp);
|
||||
acpi_physical_address __init acpi_os_get_root_pointer(void)
|
||||
{
|
||||
#ifdef CONFIG_KEXEC
|
||||
@ -35,5 +35,5 @@ index 814d5f8..84ca0b5 100644
|
||||
#endif
|
||||
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From a92898f1e8f05643870686a48812d2898127cf8e Mon Sep 17 00:00:00 2001
|
||||
From bd55d2cfacdd370df7e5a8f03863f59cee591c47 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg59@coreos.com>
|
||||
Date: Thu, 19 Nov 2015 18:55:53 -0800
|
||||
Subject: [PATCH 08/20] kexec: Disable at runtime if the kernel enforces module
|
||||
@ -14,7 +14,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/kernel/kexec.c b/kernel/kexec.c
|
||||
index ee70aef..755198b 100644
|
||||
index 4384672..0876783 100644
|
||||
--- a/kernel/kexec.c
|
||||
+++ b/kernel/kexec.c
|
||||
@@ -17,6 +17,7 @@
|
||||
@ -25,7 +25,7 @@ index ee70aef..755198b 100644
|
||||
|
||||
#include "kexec_internal.h"
|
||||
|
||||
@@ -131,7 +132,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
|
||||
@@ -189,7 +190,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
|
||||
int result;
|
||||
|
||||
/* We only trust the superuser with rebooting the system. */
|
||||
@ -35,5 +35,5 @@ index ee70aef..755198b 100644
|
||||
|
||||
/*
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From b68abccfa5c9dca3e8c921139bcd5e794ae8e67c Mon Sep 17 00:00:00 2001
|
||||
From 6a2ebbbc4d82f75d98a2f594db23b853abba2333 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 8 Feb 2013 11:12:13 -0800
|
||||
Subject: [PATCH 09/20] x86: Restrict MSR access when module loading is
|
||||
@ -40,5 +40,5 @@ index 7f3550a..963ba40 100644
|
||||
err = -EFAULT;
|
||||
break;
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From ec3ce7daf05ab4d0456a06235e5f91f09fc57268 Mon Sep 17 00:00:00 2001
|
||||
From 23b33d629abc9fa53f5f1c6422bf7b170c322beb Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 18:36:30 -0400
|
||||
Subject: [PATCH 10/20] Add option to automatically enforce module signatures
|
||||
@ -13,12 +13,12 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
---
|
||||
Documentation/x86/zero-page.txt | 2 ++
|
||||
arch/x86/Kconfig | 10 ++++++++++
|
||||
arch/x86/boot/compressed/eboot.c | 36 +++++++++++++++++++++++++++++++++++
|
||||
arch/x86/boot/compressed/eboot.c | 35 +++++++++++++++++++++++++++++++++++
|
||||
arch/x86/include/uapi/asm/bootparam.h | 3 ++-
|
||||
arch/x86/kernel/setup.c | 6 ++++++
|
||||
include/linux/module.h | 6 ++++++
|
||||
kernel/module.c | 7 +++++++
|
||||
7 files changed, 69 insertions(+), 1 deletion(-)
|
||||
7 files changed, 68 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
|
||||
index 95a4d34..b8527c6 100644
|
||||
@ -34,10 +34,10 @@ index 95a4d34..b8527c6 100644
|
||||
290/040 ALL edd_mbr_sig_buffer EDD MBR signatures
|
||||
2D0/A00 ALL e820_map E820 memory map table
|
||||
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
|
||||
index 2dc18605..a701d09 100644
|
||||
index d9a94da..866d0e9 100644
|
||||
--- a/arch/x86/Kconfig
|
||||
+++ b/arch/x86/Kconfig
|
||||
@@ -1785,6 +1785,16 @@ config EFI_MIXED
|
||||
@@ -1776,6 +1776,16 @@ config EFI_MIXED
|
||||
|
||||
If unsure, say N.
|
||||
|
||||
@ -55,7 +55,7 @@ index 2dc18605..a701d09 100644
|
||||
def_bool y
|
||||
prompt "Enable seccomp to safely compute untrusted bytecode"
|
||||
diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
|
||||
index 583d539..ca120ac 100644
|
||||
index 52fef60..faa223b 100644
|
||||
--- a/arch/x86/boot/compressed/eboot.c
|
||||
+++ b/arch/x86/boot/compressed/eboot.c
|
||||
@@ -12,6 +12,7 @@
|
||||
@ -66,8 +66,8 @@ index 583d539..ca120ac 100644
|
||||
|
||||
#include "../string.h"
|
||||
#include "eboot.h"
|
||||
@@ -847,6 +848,37 @@ out:
|
||||
return status;
|
||||
@@ -571,6 +572,36 @@ free_handle:
|
||||
efi_call_early(free_pool, pci_handle);
|
||||
}
|
||||
|
||||
+static int get_secure_boot(void)
|
||||
@ -100,11 +100,10 @@ index 583d539..ca120ac 100644
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+
|
||||
/*
|
||||
* See if we have Graphics Output Protocol
|
||||
*/
|
||||
@@ -1432,6 +1464,10 @@ struct boot_params *efi_main(struct efi_config *c,
|
||||
static efi_status_t
|
||||
setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height)
|
||||
{
|
||||
@@ -1126,6 +1157,10 @@ struct boot_params *efi_main(struct efi_config *c,
|
||||
else
|
||||
setup_boot_services32(efi_early);
|
||||
|
||||
@ -116,7 +115,7 @@ index 583d539..ca120ac 100644
|
||||
|
||||
setup_efi_pci(boot_params);
|
||||
diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h
|
||||
index 3292543..b61f853 100644
|
||||
index c18ce67..2b3e542 100644
|
||||
--- a/arch/x86/include/uapi/asm/bootparam.h
|
||||
+++ b/arch/x86/include/uapi/asm/bootparam.h
|
||||
@@ -134,7 +134,8 @@ struct boot_params {
|
||||
@ -130,10 +129,10 @@ index 3292543..b61f853 100644
|
||||
* The sentinel is set to a nonzero value (0xff) in header.S.
|
||||
*
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index 2367ae0..1a78bf7 100644
|
||||
index c4e7b39..bdb9881 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -1146,6 +1146,12 @@ void __init setup_arch(char **cmdline_p)
|
||||
@@ -1152,6 +1152,12 @@ void __init setup_arch(char **cmdline_p)
|
||||
|
||||
io_delay_init();
|
||||
|
||||
@ -147,7 +146,7 @@ index 2367ae0..1a78bf7 100644
|
||||
* Parse the ACPI tables for possible boot-time SMP configuration.
|
||||
*/
|
||||
diff --git a/include/linux/module.h b/include/linux/module.h
|
||||
index ab13009..e072b84 100644
|
||||
index 15843fc..fe5c49d 100644
|
||||
--- a/include/linux/module.h
|
||||
+++ b/include/linux/module.h
|
||||
@@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
|
||||
@ -164,10 +163,10 @@ index ab13009..e072b84 100644
|
||||
|
||||
extern int modules_disabled; /* for sysctl */
|
||||
diff --git a/kernel/module.c b/kernel/module.c
|
||||
index 392ac8c..676c578 100644
|
||||
index 3c38496..ea484f3 100644
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -4081,6 +4081,13 @@ void module_layout(struct module *mod,
|
||||
@@ -4200,6 +4200,13 @@ void module_layout(struct module *mod,
|
||||
EXPORT_SYMBOL(module_layout);
|
||||
#endif
|
||||
|
||||
@ -182,5 +181,5 @@ index 392ac8c..676c578 100644
|
||||
{
|
||||
#ifdef CONFIG_MODULE_SIG
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 6c1648fa6c1e91977c502e2f2a5b3c4f09124ce6 Mon Sep 17 00:00:00 2001
|
||||
From d1431fc712f301635f392a11045b1a2fe9df7e25 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 27 Aug 2013 13:28:43 -0400
|
||||
Subject: [PATCH 11/20] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
|
||||
@ -12,10 +12,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
|
||||
index a701d09..fef4036 100644
|
||||
index 866d0e9..5b8b8c3 100644
|
||||
--- a/arch/x86/Kconfig
|
||||
+++ b/arch/x86/Kconfig
|
||||
@@ -1786,7 +1786,8 @@ config EFI_MIXED
|
||||
@@ -1777,7 +1777,8 @@ config EFI_MIXED
|
||||
If unsure, say N.
|
||||
|
||||
config EFI_SECURE_BOOT_SIG_ENFORCE
|
||||
@ -26,5 +26,5 @@ index a701d09..fef4036 100644
|
||||
---help---
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From d1440220844d8a0cca8168526fc2d6a74787283c Mon Sep 17 00:00:00 2001
|
||||
From 735f74a5d4919c155481ee8aca9074c5d53f4029 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 27 Aug 2013 13:33:03 -0400
|
||||
Subject: [PATCH 12/20] efi: Add EFI_SECURE_BOOT bit
|
||||
@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
2 files changed, 3 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
|
||||
index 1a78bf7..564921b 100644
|
||||
index bdb9881..a666b6c 100644
|
||||
--- a/arch/x86/kernel/setup.c
|
||||
+++ b/arch/x86/kernel/setup.c
|
||||
@@ -1148,7 +1148,9 @@ void __init setup_arch(char **cmdline_p)
|
||||
@@ -1154,7 +1154,9 @@ void __init setup_arch(char **cmdline_p)
|
||||
|
||||
#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
|
||||
if (boot_params.secure_boot) {
|
||||
@ -27,10 +27,10 @@ index 1a78bf7..564921b 100644
|
||||
#endif
|
||||
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index 1626474..2bd4516 100644
|
||||
index f196dd0..3b3909f 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -1009,6 +1009,7 @@ extern int __init efi_setup_pcdp_console(char *);
|
||||
@@ -1062,6 +1062,7 @@ extern int __init efi_setup_pcdp_console(char *);
|
||||
#define EFI_ARCH_1 7 /* First arch-specific bit */
|
||||
#define EFI_DBG 8 /* Print additional debug info at runtime */
|
||||
#define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */
|
||||
@ -39,5 +39,5 @@ index 1626474..2bd4516 100644
|
||||
#ifdef CONFIG_EFI
|
||||
/*
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From df84f18e06e61f63e4e7847d455a3601b15a941a Mon Sep 17 00:00:00 2001
|
||||
From d0c5883f7885f8b8d1dd617ab6e7f4015bbd0419 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 20 Jun 2014 08:53:24 -0400
|
||||
Subject: [PATCH 13/20] hibernate: Disable in a signed modules environment
|
||||
@ -35,5 +35,5 @@ index fca9254..ffd8644 100644
|
||||
|
||||
/**
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 21bb922ca499884980a7a98992bb0b00c05c223a Mon Sep 17 00:00:00 2001
|
||||
From cf7c941ac72cf28c9ed256ed6f7e77dd451819ec Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 16 Jun 2015 14:14:31 +0100
|
||||
Subject: [PATCH 14/20] Security: Provide copy-up security hooks for unioned
|
||||
@ -21,7 +21,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
3 files changed, 54 insertions(+)
|
||||
|
||||
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
|
||||
index cdee11c..adef596 100644
|
||||
index 7ae3976..b585466 100644
|
||||
--- a/include/linux/lsm_hooks.h
|
||||
+++ b/include/linux/lsm_hooks.h
|
||||
@@ -401,6 +401,24 @@
|
||||
@ -49,7 +49,7 @@ index cdee11c..adef596 100644
|
||||
*
|
||||
* Security hooks for file operations
|
||||
*
|
||||
@@ -1424,6 +1442,9 @@ union security_list_options {
|
||||
@@ -1425,6 +1443,9 @@ union security_list_options {
|
||||
int (*inode_listsecurity)(struct inode *inode, char *buffer,
|
||||
size_t buffer_size);
|
||||
void (*inode_getsecid)(struct inode *inode, u32 *secid);
|
||||
@ -59,7 +59,7 @@ index cdee11c..adef596 100644
|
||||
|
||||
int (*file_permission)(struct file *file, int mask);
|
||||
int (*file_alloc_security)(struct file *file);
|
||||
@@ -1695,6 +1716,8 @@ struct security_hook_heads {
|
||||
@@ -1696,6 +1717,8 @@ struct security_hook_heads {
|
||||
struct list_head inode_setsecurity;
|
||||
struct list_head inode_listsecurity;
|
||||
struct list_head inode_getsecid;
|
||||
@ -69,10 +69,10 @@ index cdee11c..adef596 100644
|
||||
struct list_head file_alloc_security;
|
||||
struct list_head file_free_security;
|
||||
diff --git a/include/linux/security.h b/include/linux/security.h
|
||||
index 157f0cb..449f1b0 100644
|
||||
index 14df373..986265b 100644
|
||||
--- a/include/linux/security.h
|
||||
+++ b/include/linux/security.h
|
||||
@@ -276,6 +276,10 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf
|
||||
@@ -282,6 +282,10 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf
|
||||
int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
|
||||
int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
|
||||
void security_inode_getsecid(struct inode *inode, u32 *secid);
|
||||
@ -83,7 +83,7 @@ index 157f0cb..449f1b0 100644
|
||||
int security_file_permission(struct file *file, int mask);
|
||||
int security_file_alloc(struct file *file);
|
||||
void security_file_free(struct file *file);
|
||||
@@ -744,6 +748,16 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
|
||||
@@ -758,6 +762,16 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
|
||||
*secid = 0;
|
||||
}
|
||||
|
||||
@ -101,10 +101,10 @@ index 157f0cb..449f1b0 100644
|
||||
{
|
||||
return 0;
|
||||
diff --git a/security/security.c b/security/security.c
|
||||
index 3644b03..8548340 100644
|
||||
index 7095693..77ec85b 100644
|
||||
--- a/security/security.c
|
||||
+++ b/security/security.c
|
||||
@@ -726,6 +726,19 @@ void security_inode_getsecid(struct inode *inode, u32 *secid)
|
||||
@@ -727,6 +727,19 @@ void security_inode_getsecid(struct inode *inode, u32 *secid)
|
||||
call_void_hook(inode_getsecid, inode, secid);
|
||||
}
|
||||
|
||||
@ -124,7 +124,7 @@ index 3644b03..8548340 100644
|
||||
int security_file_permission(struct file *file, int mask)
|
||||
{
|
||||
int ret;
|
||||
@@ -1662,6 +1675,10 @@ struct security_hook_heads security_hook_heads = {
|
||||
@@ -1663,6 +1676,10 @@ struct security_hook_heads security_hook_heads = {
|
||||
LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
|
||||
.inode_getsecid =
|
||||
LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
|
||||
@ -136,5 +136,5 @@ index 3644b03..8548340 100644
|
||||
LIST_HEAD_INIT(security_hook_heads.file_permission),
|
||||
.file_alloc_security =
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 4eac8c9deb0ffddf8d71b6783675087a4ee6b436 Mon Sep 17 00:00:00 2001
|
||||
From 08ff141c7c1887f6f2793b03d7575d46375352c6 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 16 Jun 2015 14:14:31 +0100
|
||||
Subject: [PATCH 15/20] Overlayfs: Use copy-up security hooks
|
||||
@ -13,7 +13,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
|
||||
index cc514da..a181c7c 100644
|
||||
index 80aa6f1..c7ba7b2 100644
|
||||
--- a/fs/overlayfs/copy_up.c
|
||||
+++ b/fs/overlayfs/copy_up.c
|
||||
@@ -102,6 +102,14 @@ retry:
|
||||
@ -43,5 +43,5 @@ index cc514da..a181c7c 100644
|
||||
struct path upperpath;
|
||||
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From f3798692115e472f7d508d725f8952b29250370e Mon Sep 17 00:00:00 2001
|
||||
From 5010e474dd5f54f95f54f5ac6d86085084148aca Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 16 Jun 2015 14:14:32 +0100
|
||||
Subject: [PATCH 16/20] SELinux: Stub in copy-up handling
|
||||
@ -13,10 +13,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
1 file changed, 20 insertions(+)
|
||||
|
||||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
||||
index 912deee..b4e3e63 100644
|
||||
index a86d537..19719b7 100644
|
||||
--- a/security/selinux/hooks.c
|
||||
+++ b/security/selinux/hooks.c
|
||||
@@ -3253,6 +3253,24 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
|
||||
@@ -3270,6 +3270,24 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
|
||||
*secid = isec->sid;
|
||||
}
|
||||
|
||||
@ -41,7 +41,7 @@ index 912deee..b4e3e63 100644
|
||||
/* file security operations */
|
||||
|
||||
static int selinux_revalidate_file_permission(struct file *file, int mask)
|
||||
@@ -5996,6 +6014,8 @@ static struct security_hook_list selinux_hooks[] = {
|
||||
@@ -6056,6 +6074,8 @@ static struct security_hook_list selinux_hooks[] = {
|
||||
LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
|
||||
LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
|
||||
LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
|
||||
@ -51,5 +51,5 @@ index 912deee..b4e3e63 100644
|
||||
LSM_HOOK_INIT(file_permission, selinux_file_permission),
|
||||
LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 518b46aa4f4d0198593c2ffd9a3927db686d3c43 Mon Sep 17 00:00:00 2001
|
||||
From 9f1a7fa7a1db75f71d653863fd190e160535d9d1 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 16 Jun 2015 14:14:32 +0100
|
||||
Subject: [PATCH 17/20] SELinux: Handle opening of a unioned file
|
||||
@ -26,10 +26,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
2 files changed, 70 insertions(+)
|
||||
|
||||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
||||
index b4e3e63..e5d0e2d 100644
|
||||
index 19719b7..74e4f4e 100644
|
||||
--- a/security/selinux/hooks.c
|
||||
+++ b/security/selinux/hooks.c
|
||||
@@ -3584,10 +3584,72 @@ static int selinux_file_receive(struct file *file)
|
||||
@@ -3603,10 +3603,72 @@ static int selinux_file_receive(struct file *file)
|
||||
return file_has_perm(cred, file, file_to_av(file));
|
||||
}
|
||||
|
||||
@ -102,7 +102,7 @@ index b4e3e63..e5d0e2d 100644
|
||||
|
||||
fsec = file->f_security;
|
||||
isec = inode_security(file_inode(file));
|
||||
@@ -3608,6 +3670,13 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
|
||||
@@ -3627,6 +3689,13 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
|
||||
* new inode label or new policy.
|
||||
* This check is not redundant - do not remove.
|
||||
*/
|
||||
@ -117,10 +117,10 @@ index b4e3e63..e5d0e2d 100644
|
||||
}
|
||||
|
||||
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
|
||||
index a2ae054..54cce84 100644
|
||||
index c21e135..1c23b90 100644
|
||||
--- a/security/selinux/include/objsec.h
|
||||
+++ b/security/selinux/include/objsec.h
|
||||
@@ -60,6 +60,7 @@ struct file_security_struct {
|
||||
@@ -59,6 +59,7 @@ struct file_security_struct {
|
||||
u32 sid; /* SID of open file description */
|
||||
u32 fown_sid; /* SID of file owner (for SIGIO) */
|
||||
u32 isid; /* SID of inode at the time of file open */
|
||||
@ -129,5 +129,5 @@ index a2ae054..54cce84 100644
|
||||
};
|
||||
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From c847761aacd96fb03f6493ffc800ef9310d34ef7 Mon Sep 17 00:00:00 2001
|
||||
From 4d316639da0c1a3cbe34b33cb7d2821b810020bf Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 16 Jun 2015 14:14:32 +0100
|
||||
Subject: [PATCH 18/20] SELinux: Check against union label for file operations
|
||||
@ -16,10 +16,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
1 file changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
||||
index e5d0e2d..c3f94dd 100644
|
||||
index 74e4f4e..f6dc6b2 100644
|
||||
--- a/security/selinux/hooks.c
|
||||
+++ b/security/selinux/hooks.c
|
||||
@@ -1745,6 +1745,7 @@ static int file_has_perm(const struct cred *cred,
|
||||
@@ -1755,6 +1755,7 @@ static int file_has_perm(const struct cred *cred,
|
||||
struct file *file,
|
||||
u32 av)
|
||||
{
|
||||
@ -27,7 +27,7 @@ index e5d0e2d..c3f94dd 100644
|
||||
struct file_security_struct *fsec = file->f_security;
|
||||
struct inode *inode = file_inode(file);
|
||||
struct common_audit_data ad;
|
||||
@@ -1765,8 +1766,15 @@ static int file_has_perm(const struct cred *cred,
|
||||
@@ -1775,8 +1776,15 @@ static int file_has_perm(const struct cred *cred,
|
||||
|
||||
/* av is zero if only checking access to the descriptor. */
|
||||
rc = 0;
|
||||
@ -46,5 +46,5 @@ index e5d0e2d..c3f94dd 100644
|
||||
out:
|
||||
return rc;
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 1ef23e9e2c7d6d47ceeaf74d685d951ef109db7a Mon Sep 17 00:00:00 2001
|
||||
From 7c61363beb72419f1dca56e156c794d114d5f9f9 Mon Sep 17 00:00:00 2001
|
||||
From: Vito Caputo <vito.caputo@coreos.com>
|
||||
Date: Wed, 25 Nov 2015 02:59:45 -0800
|
||||
Subject: [PATCH 19/20] kbuild: derive relative path for KBUILD_SRC from CURDIR
|
||||
@ -12,13 +12,13 @@ by some undesirable path component.
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 0f9cb36..44097a4 100644
|
||||
index 66da9a3..4d55d38 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -143,7 +143,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
|
||||
@@ -147,7 +147,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
|
||||
@:
|
||||
|
||||
sub-make: FORCE
|
||||
sub-make:
|
||||
- $(Q)$(MAKE) -C $(KBUILD_OUTPUT) KBUILD_SRC=$(CURDIR) \
|
||||
+ $(Q)$(MAKE) -C $(KBUILD_OUTPUT) \
|
||||
+ KBUILD_SRC=$(shell realpath --relative-to=$(KBUILD_OUTPUT) $(CURDIR)) \
|
||||
@ -26,5 +26,5 @@ index 0f9cb36..44097a4 100644
|
||||
|
||||
# Leave processing to above invocation of make
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 6a65a70406567cf4c1264e9baa54b37844c3d5e1 Mon Sep 17 00:00:00 2001
|
||||
From 8a81012508249122343f090c989c46cf15c67480 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg59@coreos.com>
|
||||
Date: Tue, 22 Dec 2015 07:43:52 +0000
|
||||
Subject: [PATCH 20/20] Don't verify write permissions on lower inodes on
|
||||
@ -19,10 +19,10 @@ the selinux permissions check if that flag is set.
|
||||
3 files changed, 13 insertions(+)
|
||||
|
||||
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
|
||||
index a4ff5d0..6ba3443 100644
|
||||
index d1cdc60..a5b1498 100644
|
||||
--- a/fs/overlayfs/inode.c
|
||||
+++ b/fs/overlayfs/inode.c
|
||||
@@ -163,6 +163,9 @@ int ovl_permission(struct inode *inode, int mask)
|
||||
@@ -189,6 +189,9 @@ int ovl_permission(struct inode *inode, int mask)
|
||||
goto out_dput;
|
||||
}
|
||||
|
||||
@ -33,10 +33,10 @@ index a4ff5d0..6ba3443 100644
|
||||
out_dput:
|
||||
dput(alias);
|
||||
diff --git a/include/linux/fs.h b/include/linux/fs.h
|
||||
index 70e61b5..ba1ed95 100644
|
||||
index dd28814..5988996 100644
|
||||
--- a/include/linux/fs.h
|
||||
+++ b/include/linux/fs.h
|
||||
@@ -85,6 +85,7 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate);
|
||||
@@ -84,6 +84,7 @@ typedef int (dio_iodone_t)(struct kiocb *iocb, loff_t offset,
|
||||
#define MAY_CHDIR 0x00000040
|
||||
/* called from RCU mode, don't block */
|
||||
#define MAY_NOT_BLOCK 0x00000080
|
||||
@ -45,10 +45,10 @@ index 70e61b5..ba1ed95 100644
|
||||
/*
|
||||
* flags in file.f_mode. Note that FMODE_READ and FMODE_WRITE must correspond
|
||||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
||||
index c3f94dd..37f438c 100644
|
||||
index f6dc6b2..10081f7 100644
|
||||
--- a/security/selinux/hooks.c
|
||||
+++ b/security/selinux/hooks.c
|
||||
@@ -2967,6 +2967,15 @@ static int selinux_inode_permission(struct inode *inode, int mask)
|
||||
@@ -2981,6 +2981,15 @@ static int selinux_inode_permission(struct inode *inode, int mask)
|
||||
u32 audited, denied;
|
||||
|
||||
from_access = mask & MAY_ACCESS;
|
||||
@ -65,5 +65,5 @@ index c3f94dd..37f438c 100644
|
||||
|
||||
/* No permission to check. Existence test. */
|
||||
--
|
||||
2.8.2
|
||||
2.7.3
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user