From d6e00b8bb642090115b004288e49cff741c3a6ad Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Mon, 14 Sep 2015 16:30:53 -0700 Subject: [PATCH] Add 4.2 kernel source Add an ebuild for Linux 4.2 and bring over the relevant patches --- ....ebuild => coreos-sources-4.2.0-r1.ebuild} | 2 - ...alcs-mems_allowed-as-a-temp-variable.patch | 51 --------------- ...dst-races-with-multicast-early-demux.patch | 62 ------------------- .../01-Add-secure_modules-call.patch | 27 ++++---- ...R-access-when-module-security-is-ena.patch | 4 +- ...-port-access-when-module-security-is.patch | 4 +- ...4-ACPI-Limit-access-to-custom_method.patch | 4 +- ...t-debugfs-interface-when-module-load.patch | 12 ++-- ...-and-dev-kmem-when-module-loading-is.patch | 4 +- ..._rsdp-kernel-parameter-when-module-l.patch | 8 +-- ...-runtime-if-the-kernel-enforces-modu.patch | 8 +-- ...-access-when-module-loading-is-restr.patch | 4 +- ...tomatically-enforce-module-signature.patch | 24 +++---- ...ure-boot-if-shim-is-in-insecure-mode.patch | 6 +- ...ECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch | 8 +-- .../13-efi-Add-EFI_SECURE_BOOT-bit.patch | 12 ++-- ...able-in-a-signed-modules-environment.patch | 6 +- ...s-wl18xx-Add-missing-MODULE_FIRMWARE.patch | 0 18 files changed, 65 insertions(+), 181 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-4.1.6-r2.ebuild => coreos-sources-4.2.0-r1.ebuild} (90%) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/15-cpuset-use-trialcs-mems_allowed-as-a-temp-variable.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/udp-fix-dst-races-with-multicast-early-demux.patch rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.1 => 4.2}/01-Add-secure_modules-call.patch (70%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.1 => 4.2}/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch (98%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.1 => 4.2}/03-x86-Lock-down-IO-port-access-when-module-security-is.patch (96%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.1 => 4.2}/04-ACPI-Limit-access-to-custom_method.patch (93%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.1 => 4.2}/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch (82%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.1 => 4.2}/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch (94%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.1 => 4.2}/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch (85%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.1 => 4.2}/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch (87%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.1 => 4.2}/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch (94%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.1 => 4.2}/10-Add-option-to-automatically-enforce-module-signature.patch (90%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.1 => 4.2}/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch (94%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.1 => 4.2}/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch (84%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.1 => 4.2}/13-efi-Add-EFI_SECURE_BOOT-bit.patch (81%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.1 => 4.2}/14-hibernate-Disable-in-a-signed-modules-environment.patch (91%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.1 => 4.2}/net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.1.6-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.2.0-r1.ebuild similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.1.6-r2.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.2.0-r1.ebuild index dfbd2dd5cd..eb649b2632 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.1.6-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.2.0-r1.ebuild @@ -27,6 +27,4 @@ ${PATCH_DIR}/10-Add-option-to-automatically-enforce-module-signature.patch \ ${PATCH_DIR}/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ ${PATCH_DIR}/13-efi-Add-EFI_SECURE_BOOT-bit.patch \ ${PATCH_DIR}/14-hibernate-Disable-in-a-signed-modules-environment.patch \ -${PATCH_DIR}/15-cpuset-use-trialcs-mems_allowed-as-a-temp-variable.patch \ -${PATCH_DIR}/udp-fix-dst-races-with-multicast-early-demux.patch \ ${PATCH_DIR}/net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/15-cpuset-use-trialcs-mems_allowed-as-a-temp-variable.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/15-cpuset-use-trialcs-mems_allowed-as-a-temp-variable.patch deleted file mode 100644 index b90b440116..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/15-cpuset-use-trialcs-mems_allowed-as-a-temp-variable.patch +++ /dev/null @@ -1,51 +0,0 @@ -cpuset: use trialcs->mems_allowed as a temp variable - -The comment says it's using trialcs->mems_allowed as a temp variable but -it didn't match the code. Change the code to match the comment. - -This fixes an issue when writing in cpuset.mems when a sub-directory -exists: we need to write several times for the information to persist: - -| root@alban:/sys/fs/cgroup/cpuset# mkdir footest9 -| root@alban:/sys/fs/cgroup/cpuset# cd footest9 -| root@alban:/sys/fs/cgroup/cpuset/footest9# mkdir aa -| root@alban:/sys/fs/cgroup/cpuset/footest9# cat cpuset.mems -| -| root@alban:/sys/fs/cgroup/cpuset/footest9# echo 0 > cpuset.mems -| root@alban:/sys/fs/cgroup/cpuset/footest9# cat cpuset.mems -| -| root@alban:/sys/fs/cgroup/cpuset/footest9# echo 0 > cpuset.mems -| root@alban:/sys/fs/cgroup/cpuset/footest9# cat cpuset.mems -| 0 -| root@alban:/sys/fs/cgroup/cpuset/footest9# cat aa/cpuset.mems -| -| root@alban:/sys/fs/cgroup/cpuset/footest9# echo 0 > aa/cpuset.mems -| root@alban:/sys/fs/cgroup/cpuset/footest9# cat aa/cpuset.mems -| 0 -| root@alban:/sys/fs/cgroup/cpuset/footest9# - -This should help to fix the following issue in Docker: -https://github.com/opencontainers/runc/issues/133 -In some conditions, a Docker container needs to be started twice in -order to work. - -Signed-off-by: Alban Crequy -Tested-by: Iago López Galeiras ---- - kernel/cpuset.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/cpuset.c b/kernel/cpuset.c -index ee14e3a..f0acff0 100644 ---- a/kernel/cpuset.c -+++ b/kernel/cpuset.c -@@ -1223,7 +1223,7 @@ static int update_nodemask(struct cpuset *cs, struct cpuset *trialcs, - spin_unlock_irq(&callback_lock); - - /* use trialcs->mems_allowed as a temp variable */ -- update_nodemasks_hier(cs, &cs->mems_allowed); -+ update_nodemasks_hier(cs, &trialcs->mems_allowed); - done: - return retval; - } --- diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/udp-fix-dst-races-with-multicast-early-demux.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/udp-fix-dst-races-with-multicast-early-demux.patch deleted file mode 100644 index e8a5f6c3db..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/udp-fix-dst-races-with-multicast-early-demux.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 10e2eb878f3ca07ac2f05fa5ca5e6c4c9174a27a Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Sat, 1 Aug 2015 12:14:33 +0200 -Subject: [PATCH] udp: fix dst races with multicast early demux -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Multicast dst are not cached. They carry DST_NOCACHE. - -As mentioned in commit f8864972126899 ("ipv4: fix dst race in -sk_dst_get()"), these dst need special care before caching them -into a socket. - -Caching them is allowed only if their refcnt was not 0, ie we -must use atomic_inc_not_zero() - -Also, we must use READ_ONCE() to fetch sk->sk_rx_dst, as mentioned -in commit d0c294c53a771 ("tcp: prevent fetching dst twice in early demux -code") - -Fixes: 421b3885bf6d ("udp: ipv4: Add udp early demux") -Tested-by: Gregory Hoggarth -Signed-off-by: Eric Dumazet -Reported-by: Gregory Hoggarth -Reported-by: Alex Gartrell -Cc: Michal Kubeček -Signed-off-by: David S. Miller ---- - net/ipv4/udp.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index 83aa604..1b8c5ba 100644 ---- a/net/ipv4/udp.c -+++ b/net/ipv4/udp.c -@@ -1995,12 +1995,19 @@ void udp_v4_early_demux(struct sk_buff *skb) - - skb->sk = sk; - skb->destructor = sock_efree; -- dst = sk->sk_rx_dst; -+ dst = READ_ONCE(sk->sk_rx_dst); - - if (dst) - dst = dst_check(dst, 0); -- if (dst) -- skb_dst_set_noref(skb, dst); -+ if (dst) { -+ /* DST_NOCACHE can not be used without taking a reference */ -+ if (dst->flags & DST_NOCACHE) { -+ if (likely(atomic_inc_not_zero(&dst->__refcnt))) -+ skb_dst_set(skb, dst); -+ } else { -+ skb_dst_set_noref(skb, dst); -+ } -+ } - } - - int udp_rcv(struct sk_buff *skb) --- -2.4.6 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/01-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/01-Add-secure_modules-call.patch similarity index 70% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/01-Add-secure_modules-call.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/01-Add-secure_modules-call.patch index b92062776e..c0c33617f1 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/01-Add-secure_modules-call.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/01-Add-secure_modules-call.patch @@ -1,4 +1,4 @@ -From 936a56597be7d12ca65e1d4df38f3e1d39308318 Mon Sep 17 00:00:00 2001 +From 6067a76dca90f315916621a657a8a6379b1d0c3b Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 17:58:15 -0400 Subject: [PATCH 01/14] Add secure_modules() call @@ -12,28 +12,27 @@ Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd Signed-off-by: Matthew Garrett --- - include/linux/module.h | 7 +++++++ + include/linux/module.h | 6 ++++++ kernel/module.c | 10 ++++++++++ - 2 files changed, 17 insertions(+) + 2 files changed, 16 insertions(+) diff --git a/include/linux/module.h b/include/linux/module.h -index c883b86..cdc46a7 100644 +index 3a19c79..db38634 100644 --- a/include/linux/module.h +++ b/include/linux/module.h -@@ -508,6 +508,8 @@ int unregister_module_notifier(struct notifier_block *nb); - - extern void print_modules(void); +@@ -635,6 +635,8 @@ static inline bool module_requested_async_probing(struct module *module) + return module && module->async_probe_requested; + } +extern bool secure_modules(void); + #else /* !CONFIG_MODULES... */ /* Given an address, look for it in the exception tables. */ -@@ -618,6 +620,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb) - static inline void print_modules(void) - { +@@ -751,6 +753,10 @@ static inline bool module_requested_async_probing(struct module *module) + return false; } -+ + +static inline bool secure_modules(void) +{ + return false; @@ -42,10 +41,10 @@ index c883b86..cdc46a7 100644 #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c -index cfc9e84..1773828 100644 +index b86b7bf..7f04524 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -3915,3 +3915,13 @@ void module_layout(struct module *mod, +@@ -4087,3 +4087,13 @@ void module_layout(struct module *mod, } EXPORT_SYMBOL(module_layout); #endif @@ -60,5 +59,5 @@ index cfc9e84..1773828 100644 +} +EXPORT_SYMBOL(secure_modules); -- -2.3.6 +2.4.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch index 84843993f5..7e581c8c88 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/02-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch @@ -1,4 +1,4 @@ -From b0000803ff4c4c769aefc37f2d8196756eeb0bb1 Mon Sep 17 00:00:00 2001 +From 1d82a694eb7508eef1e25c4c4dfe5e4ae9206454 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:10:38 -0500 Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is @@ -114,5 +114,5 @@ index b91c4da..98f5637 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -2.3.6 +2.4.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/03-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/03-x86-Lock-down-IO-port-access-when-module-security-is.patch similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/03-x86-Lock-down-IO-port-access-when-module-security-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/03-x86-Lock-down-IO-port-access-when-module-security-is.patch index 066107a3fc..19709440bb 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/03-x86-Lock-down-IO-port-access-when-module-security-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/03-x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -1,4 +1,4 @@ -From a86490e90244d673cf1705dbfeb705cca4d5322e Mon Sep 17 00:00:00 2001 +From dcddff58bc08a34053c033131bc800e16210a071 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:35:59 -0500 Subject: [PATCH 03/14] x86: Lock down IO port access when module security is @@ -68,5 +68,5 @@ index 6b1721f..53fe675 100644 return -EFAULT; while (count-- > 0 && i < 65536) { -- -2.3.6 +2.4.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/04-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/04-ACPI-Limit-access-to-custom_method.patch similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/04-ACPI-Limit-access-to-custom_method.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/04-ACPI-Limit-access-to-custom_method.patch index bad99ccea9..ffa30c8d90 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/04-ACPI-Limit-access-to-custom_method.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/04-ACPI-Limit-access-to-custom_method.patch @@ -1,4 +1,4 @@ -From ab99ed435205e3d47265a572c22226c62db1923a Mon Sep 17 00:00:00 2001 +From c2c125a4fdabc50a25952e5a81c0fd2b46fde688 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:39:37 -0500 Subject: [PATCH 04/14] ACPI: Limit access to custom_method @@ -27,5 +27,5 @@ index c68e724..4277938 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -2.3.6 +2.4.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch similarity index 82% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch index 3b65ac8a9a..6f2637aec1 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/05-asus-wmi-Restrict-debugfs-interface-when-module-load.patch @@ -1,4 +1,4 @@ -From d410f5739b850b6ad738ad042e88cd76c26a95f3 Mon Sep 17 00:00:00 2001 +From 9adc395ee42eb155a05fc82ca07cb3d77f19abe6 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:46:50 -0500 Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module @@ -16,10 +16,10 @@ Signed-off-by: Matthew Garrett 1 file changed, 9 insertions(+) diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index 7543a56..93b5a69 100644 +index efbc3f0..071171b 100644 --- a/drivers/platform/x86/asus-wmi.c +++ b/drivers/platform/x86/asus-wmi.c -@@ -1589,6 +1589,9 @@ static int show_dsts(struct seq_file *m, void *data) +@@ -1868,6 +1868,9 @@ static int show_dsts(struct seq_file *m, void *data) int err; u32 retval = -1; @@ -29,7 +29,7 @@ index 7543a56..93b5a69 100644 err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); if (err < 0) -@@ -1605,6 +1608,9 @@ static int show_devs(struct seq_file *m, void *data) +@@ -1884,6 +1887,9 @@ static int show_devs(struct seq_file *m, void *data) int err; u32 retval = -1; @@ -39,7 +39,7 @@ index 7543a56..93b5a69 100644 err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, &retval); -@@ -1629,6 +1635,9 @@ static int show_call(struct seq_file *m, void *data) +@@ -1908,6 +1914,9 @@ static int show_call(struct seq_file *m, void *data) union acpi_object *obj; acpi_status status; @@ -50,5 +50,5 @@ index 7543a56..93b5a69 100644 1, asus->debug.method_id, &input, &output); -- -2.3.6 +2.4.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch similarity index 94% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch index 8f552cdf68..b76c42cb2a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/06-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -1,4 +1,4 @@ -From f463770943d3f1f6881fab3c9268fe1013cdf34a Mon Sep 17 00:00:00 2001 +From 2ca28096b959a2f53a3a761426418aea7a4d48f6 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 09:28:15 -0500 Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is @@ -38,5 +38,5 @@ index 53fe675..b52c888 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -2.3.6 +2.4.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch index 07c091a47e..3f5b370220 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/07-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch @@ -1,4 +1,4 @@ -From a9f8a4bbb86570f8f418e400eb9cfe284b8f62ea Mon Sep 17 00:00:00 2001 +From 9f838b6efbbabccbef59f278c13381c332e5b992 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 25 Jun 2012 19:57:30 -0400 Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 7ccba39..9cbdbcc 100644 +index 3b8963f..a5ae6a7 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -44,6 +44,7 @@ @@ -25,7 +25,7 @@ index 7ccba39..9cbdbcc 100644 #include #include -@@ -252,7 +253,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); +@@ -255,7 +256,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); acpi_physical_address __init acpi_os_get_root_pointer(void) { #ifdef CONFIG_KEXEC @@ -35,5 +35,5 @@ index 7ccba39..9cbdbcc 100644 #endif -- -2.3.6 +2.4.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch similarity index 87% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch index b5bb913bab..83aceefded 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/08-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -1,4 +1,4 @@ -From a79e89146431a294b7afe9ad4f170c9e263f36c2 Mon Sep 17 00:00:00 2001 +From 9b3e6387aadd3baa76e5c1abd7c9071b4871885a Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 03:33:56 -0400 Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module @@ -14,7 +14,7 @@ Signed-off-by: Matthew Garrett 1 file changed, 8 insertions(+) diff --git a/kernel/kexec.c b/kernel/kexec.c -index 7a36fdc..22d30d7 100644 +index a785c10..81d6b40 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c @@ -36,6 +36,7 @@ @@ -25,7 +25,7 @@ index 7a36fdc..22d30d7 100644 #include #include -@@ -1247,6 +1248,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, +@@ -1258,6 +1259,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, return -EPERM; /* @@ -40,5 +40,5 @@ index 7a36fdc..22d30d7 100644 * This leaves us room for future extensions. */ -- -2.3.6 +2.4.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch similarity index 94% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch index 0ac09e14cc..05008e5170 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/09-x86-Restrict-MSR-access-when-module-loading-is-restr.patch @@ -1,4 +1,4 @@ -From 204575347e0f12cafb44b09e95f1512417c2bff2 Mon Sep 17 00:00:00 2001 +From 54cae7b82dc43c871e0cba995d1cf14c5afd7a49 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 8 Feb 2013 11:12:13 -0800 Subject: [PATCH 09/14] x86: Restrict MSR access when module loading is @@ -40,5 +40,5 @@ index 113e707..26c2f83 100644 err = -EFAULT; break; -- -2.3.6 +2.4.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/10-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/10-Add-option-to-automatically-enforce-module-signature.patch similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/10-Add-option-to-automatically-enforce-module-signature.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/10-Add-option-to-automatically-enforce-module-signature.patch index 4e6c53751e..9aae975b90 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/10-Add-option-to-automatically-enforce-module-signature.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/10-Add-option-to-automatically-enforce-module-signature.patch @@ -1,4 +1,4 @@ -From 51778d46aa09dd60ae2e4025ed87f17674beaa53 Mon Sep 17 00:00:00 2001 +From 20d26ef5fc1f9686c8ef9965785227b8ce78e159 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 18:36:30 -0400 Subject: [PATCH 10/14] Add option to automatically enforce module signatures @@ -34,10 +34,10 @@ index 82fbdbc..a811210 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 226d569..6a8f880 100644 +index b3a1a5d..e6680fb 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1697,6 +1697,16 @@ config EFI_MIXED +@@ -1704,6 +1704,16 @@ config EFI_MIXED If unsure, say N. @@ -55,7 +55,7 @@ index 226d569..6a8f880 100644 def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 48304b8..2ff1901 100644 +index 7d69afd..03bfc83 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -12,6 +12,7 @@ @@ -104,7 +104,7 @@ index 48304b8..2ff1901 100644 /* * See if we have Graphics Output Protocol */ -@@ -1408,6 +1440,10 @@ struct boot_params *efi_main(struct efi_config *c, +@@ -1416,6 +1448,10 @@ struct boot_params *efi_main(struct efi_config *c, else setup_boot_services32(efi_early); @@ -130,10 +130,10 @@ index ab456dc..74ba408 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index d74ac33..88dad73 100644 +index 80f874b..c2e4f52 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1156,6 +1156,12 @@ void __init setup_arch(char **cmdline_p) +@@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); @@ -147,10 +147,10 @@ index d74ac33..88dad73 100644 * Parse the ACPI tables for possible boot-time SMP configuration. */ diff --git a/include/linux/module.h b/include/linux/module.h -index cdc46a7..0c1edd3 100644 +index db38634..4b8df91 100644 --- a/include/linux/module.h +++ b/include/linux/module.h -@@ -188,6 +188,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); +@@ -273,6 +273,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); struct notifier_block; @@ -164,10 +164,10 @@ index cdc46a7..0c1edd3 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index 1773828..e7065d6 100644 +index 7f04524..2b403ab 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -3916,6 +3916,13 @@ void module_layout(struct module *mod, +@@ -4088,6 +4088,13 @@ void module_layout(struct module *mod, EXPORT_SYMBOL(module_layout); #endif @@ -182,5 +182,5 @@ index 1773828..e7065d6 100644 { #ifdef CONFIG_MODULE_SIG -- -2.3.6 +2.4.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch similarity index 94% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch index abf80cd85f..8cdf96130b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/11-efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch @@ -1,4 +1,4 @@ -From 0a0fa32050ac4335b919bae16038acdea35ba55f Mon Sep 17 00:00:00 2001 +From 4095f969830267114c73cbef05fc3b984f34bc34 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 5 Feb 2013 19:25:05 -0500 Subject: [PATCH 11/14] efi: Disable secure boot if shim is in insecure mode @@ -15,7 +15,7 @@ Signed-off-by: Josh Boyer 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 2ff1901..35268ab 100644 +index 03bfc83..1e80f3a 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -830,8 +830,9 @@ out: @@ -54,5 +54,5 @@ index 2ff1901..35268ab 100644 } -- -2.3.6 +2.4.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch similarity index 84% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch index b194d66727..bb58cda7cf 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/12-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch @@ -1,4 +1,4 @@ -From 05994fcab209f56472d8a8ec75a48f1d92e37440 Mon Sep 17 00:00:00 2001 +From 6435d27b9b072307909802f9417882d3b0a1f554 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:28:43 -0400 Subject: [PATCH 12/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI @@ -12,10 +12,10 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 6a8f880..d3c21e9 100644 +index e6680fb..2c4b0e7 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1698,7 +1698,8 @@ config EFI_MIXED +@@ -1705,7 +1705,8 @@ config EFI_MIXED If unsure, say N. config EFI_SECURE_BOOT_SIG_ENFORCE @@ -26,5 +26,5 @@ index 6a8f880..d3c21e9 100644 ---help--- UEFI Secure Boot provides a mechanism for ensuring that the -- -2.3.6 +2.4.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/13-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/13-efi-Add-EFI_SECURE_BOOT-bit.patch similarity index 81% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/13-efi-Add-EFI_SECURE_BOOT-bit.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/13-efi-Add-EFI_SECURE_BOOT-bit.patch index 8f0e2fbf21..007d24d772 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/13-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/13-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,4 +1,4 @@ -From e029a605d5db033c5349142ef8a051658f586238 Mon Sep 17 00:00:00 2001 +From 0925cb3f7afbf104e9b5df5dea02dd0d8cdb0c2e Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:33:03 -0400 Subject: [PATCH 13/14] efi: Add EFI_SECURE_BOOT bit @@ -13,10 +13,10 @@ Signed-off-by: Josh Boyer 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 88dad73..d99c8c3 100644 +index c2e4f52..5def6b4 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1158,7 +1158,9 @@ void __init setup_arch(char **cmdline_p) +@@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p) #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE if (boot_params.secure_boot) { @@ -27,10 +27,10 @@ index 88dad73..d99c8c3 100644 #endif diff --git a/include/linux/efi.h b/include/linux/efi.h -index af5be03..aa4ee20 100644 +index 85ef051..de3e450 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -943,6 +943,7 @@ extern int __init efi_setup_pcdp_console(char *); +@@ -959,6 +959,7 @@ extern int __init efi_setup_pcdp_console(char *); #define EFI_PARAVIRT 6 /* Access is via a paravirt interface */ #define EFI_ARCH_1 7 /* First arch-specific bit */ #define EFI_DBG 8 /* Print additional debug info at runtime */ @@ -39,5 +39,5 @@ index af5be03..aa4ee20 100644 #ifdef CONFIG_EFI /* -- -2.3.6 +2.4.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/14-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/14-hibernate-Disable-in-a-signed-modules-environment.patch similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/14-hibernate-Disable-in-a-signed-modules-environment.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/14-hibernate-Disable-in-a-signed-modules-environment.patch index c9a4c9fe82..0f4f0c300b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/14-hibernate-Disable-in-a-signed-modules-environment.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/14-hibernate-Disable-in-a-signed-modules-environment.patch @@ -1,4 +1,4 @@ -From 4c471f14d2964118b1cbc7ec4440872215701c5f Mon Sep 17 00:00:00 2001 +From f77ad7f8cdc798a27a4e1f3f1951df958547265f Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 20 Jun 2014 08:53:24 -0400 Subject: [PATCH 14/14] hibernate: Disable in a signed modules environment @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index 2329daa..48a8e82 100644 +index 690f78f..037303a 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -29,6 +29,7 @@ @@ -35,5 +35,5 @@ index 2329daa..48a8e82 100644 /** -- -2.3.6 +2.4.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.1/net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.2/net-wireless-wl18xx-Add-missing-MODULE_FIRMWARE.patch