From 2c93229944e4b7d33244902527f44cf3267f931e Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Tue, 7 Feb 2017 13:27:05 -0800 Subject: [PATCH] sys-kernel/coreos-sources: Stop routing primary console to ttyS0 Our GRUB config specifies tty0 as the primary console, but it was being forced to the serial port instead. As a result, boot failures produced no visible error messages on tty0, and the emergency shell was likewise inaccessible. --- ....ebuild => coreos-kernel-4.8.17-r3.ebuild} | 2 +- ...ebuild => coreos-modules-4.8.17-r3.ebuild} | 2 +- .../coreos-sources-4.8.17-r1.ebuild | 48 ------------------ .../coreos-sources-4.8.17-r2.ebuild | 49 +++++++++++++++++++ ...fs-provide-copy-up-security-hook-for.patch | 4 +- ...mplementation-for-inode_copy_up-hook.patch | 4 +- ...fs-Provide-security-hook-for-copy-up.patch | 4 +- ...ntation-for-inode_copy_up_xattr-hook.patch | 4 +- ...urity-pointer-to-determine_inode_lab.patch | 4 +- ...fs-Provide-hook-to-correctly-label-n.patch | 4 +- ...mplement-dentry_create_files_as-hook.patch | 4 +- .../4.8/z0008-Add-secure_modules-call.patch | 4 +- ...R-access-when-module-security-is-ena.patch | 4 +- ...-port-access-when-module-security-is.patch | 4 +- ...1-ACPI-Limit-access-to-custom_method.patch | 4 +- ...t-debugfs-interface-when-module-load.patch | 4 +- ...-and-dev-kmem-when-module-loading-is.patch | 4 +- ..._rsdp-kernel-parameter-when-module-l.patch | 4 +- ...-runtime-if-the-kernel-enforces-modu.patch | 4 +- ...-access-when-module-loading-is-restr.patch | 4 +- ...tomatically-enforce-module-signature.patch | 4 +- ...ECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch | 4 +- .../z0019-efi-Add-EFI_SECURE_BOOT-bit.patch | 4 +- ...able-in-a-signed-modules-environment.patch | 4 +- ...lative-path-for-KBUILD_SRC-from-CURD.patch | 4 +- ...serial-8250-add-CON_CONSDEV-to-flags.patch | 40 +++++++++++++++ ... z0023-Add-arm64-coreos-verity-hash.patch} | 8 +-- ...text-mounts-on-tmpfs-ramfs-devpts-w.patch} | 12 ++--- 28 files changed, 143 insertions(+), 102 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.8.17-r2.ebuild => coreos-kernel-4.8.17-r3.ebuild} (98%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-4.8.17-r2.ebuild => coreos-modules-4.8.17-r3.ebuild} (98%) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.17-r1.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.17-r2.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-Revert-tty-serial-8250-add-CON_CONSDEV-to-flags.patch rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/{z0022-Add-arm64-coreos-verity-hash.patch => z0023-Add-arm64-coreos-verity-hash.patch} (82%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/{z0023-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-within-user-namespaces.patch => z0024-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch} (88%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.8.17-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.8.17-r3.ebuild similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.8.17-r2.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.8.17-r3.ebuild index 1a6a9c3550..3a1358c5e2 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.8.17-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.8.17-r3.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=5 -COREOS_SOURCE_REVISION="-r1" +COREOS_SOURCE_REVISION="-r2" inherit coreos-kernel DESCRIPTION="CoreOS Linux kernel" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.8.17-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.8.17-r3.ebuild similarity index 98% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.8.17-r2.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.8.17-r3.ebuild index 5f7ad1c646..ff4a14e3a2 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.8.17-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.8.17-r3.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=5 -COREOS_SOURCE_REVISION="-r1" +COREOS_SOURCE_REVISION="-r2" inherit coreos-kernel savedconfig DESCRIPTION="CoreOS Linux kernel modules" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.17-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.17-r1.ebuild deleted file mode 100644 index 9bb5696b0e..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.17-r1.ebuild +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright 2014 CoreOS, Inc. -# Distributed under the terms of the GNU General Public License v2 - -EAPI="5" -ETYPE="sources" -inherit kernel-2 -detect_version - -DESCRIPTION="Full sources for the CoreOS Linux kernel" -HOMEPAGE="http://www.kernel.org" -SRC_URI="${KERNEL_URI}" - -KEYWORDS="amd64 arm64" -IUSE="" - -PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" - -# XXX: Note we must prefix the patch filenames with "z" to ensure they are -# applied _after_ a potential patch-${KV}.patch file, present when building a -# patchlevel revision. We mustn't apply our patches first, it fails when the -# local patches overlap with the upstream patch. - -# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g' -UNIPATCH_LIST=" - ${PATCH_DIR}/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch \ - ${PATCH_DIR}/z0002-selinux-Implementation-for-inode_copy_up-hook.patch \ - ${PATCH_DIR}/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch \ - ${PATCH_DIR}/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch \ - ${PATCH_DIR}/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch \ - ${PATCH_DIR}/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch \ - ${PATCH_DIR}/z0007-selinux-Implement-dentry_create_files_as-hook.patch \ - ${PATCH_DIR}/z0008-Add-secure_modules-call.patch \ - ${PATCH_DIR}/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ - ${PATCH_DIR}/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch \ - ${PATCH_DIR}/z0011-ACPI-Limit-access-to-custom_method.patch \ - ${PATCH_DIR}/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ - ${PATCH_DIR}/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ - ${PATCH_DIR}/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ - ${PATCH_DIR}/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ - ${PATCH_DIR}/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ - ${PATCH_DIR}/z0017-Add-option-to-automatically-enforce-module-signature.patch \ - ${PATCH_DIR}/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ - ${PATCH_DIR}/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch \ - ${PATCH_DIR}/z0020-hibernate-Disable-in-a-signed-modules-environment.patch \ - ${PATCH_DIR}/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ - ${PATCH_DIR}/z0022-Add-arm64-coreos-verity-hash.patch \ - ${PATCH_DIR}/z0023-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-within-user-namespaces.patch \ -" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.17-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.17-r2.ebuild new file mode 100644 index 0000000000..4f541f10cd --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.17-r2.ebuild @@ -0,0 +1,49 @@ +# Copyright 2014 CoreOS, Inc. +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" +ETYPE="sources" +inherit kernel-2 +detect_version + +DESCRIPTION="Full sources for the CoreOS Linux kernel" +HOMEPAGE="http://www.kernel.org" +SRC_URI="${KERNEL_URI}" + +KEYWORDS="amd64 arm64" +IUSE="" + +PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" + +# XXX: Note we must prefix the patch filenames with "z" to ensure they are +# applied _after_ a potential patch-${KV}.patch file, present when building a +# patchlevel revision. We mustn't apply our patches first, it fails when the +# local patches overlap with the upstream patch. + +# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g' +UNIPATCH_LIST=" + ${PATCH_DIR}/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch \ + ${PATCH_DIR}/z0002-selinux-Implementation-for-inode_copy_up-hook.patch \ + ${PATCH_DIR}/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch \ + ${PATCH_DIR}/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch \ + ${PATCH_DIR}/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch \ + ${PATCH_DIR}/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch \ + ${PATCH_DIR}/z0007-selinux-Implement-dentry_create_files_as-hook.patch \ + ${PATCH_DIR}/z0008-Add-secure_modules-call.patch \ + ${PATCH_DIR}/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ + ${PATCH_DIR}/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch \ + ${PATCH_DIR}/z0011-ACPI-Limit-access-to-custom_method.patch \ + ${PATCH_DIR}/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ + ${PATCH_DIR}/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ + ${PATCH_DIR}/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ + ${PATCH_DIR}/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ + ${PATCH_DIR}/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ + ${PATCH_DIR}/z0017-Add-option-to-automatically-enforce-module-signature.patch \ + ${PATCH_DIR}/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ + ${PATCH_DIR}/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch \ + ${PATCH_DIR}/z0020-hibernate-Disable-in-a-signed-modules-environment.patch \ + ${PATCH_DIR}/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ + ${PATCH_DIR}/z0022-Revert-tty-serial-8250-add-CON_CONSDEV-to-flags.patch \ + ${PATCH_DIR}/z0023-Add-arm64-coreos-verity-hash.patch \ + ${PATCH_DIR}/z0024-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch \ +" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch index 14de50789d..3114d8c7be 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch @@ -1,7 +1,7 @@ From 72f2135b077dd2e44d5bbd6b39194d009aeb2af2 Mon Sep 17 00:00:00 2001 From: Vivek Goyal Date: Tue, 19 Jul 2016 14:34:57 -0400 -Subject: [PATCH 01/21] security, overlayfs: provide copy up security hook for +Subject: [PATCH 01/24] security, overlayfs: provide copy up security hook for unioned files Provide a security hook to label new file correctly when a file is copied @@ -144,5 +144,5 @@ index 4838e7f..f2a7f27 100644 LIST_HEAD_INIT(security_hook_heads.file_permission), .file_alloc_security = -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch index 750150f403..c083c6962a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch @@ -1,7 +1,7 @@ From b45eb80e5b2412980d38d2ea00aabc3057a91a05 Mon Sep 17 00:00:00 2001 From: Vivek Goyal Date: Tue, 19 Jul 2016 14:34:58 -0400 -Subject: [PATCH 02/21] selinux: Implementation for inode_copy_up() hook +Subject: [PATCH 02/24] selinux: Implementation for inode_copy_up() hook A file is being copied up for overlay file system. Prepare a new set of creds and set create_sid appropriately so that new file is created with @@ -58,5 +58,5 @@ index 13185a6..264ee90 100644 LSM_HOOK_INIT(file_permission, selinux_file_permission), LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch index da24d43113..6a4300bf11 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch @@ -1,7 +1,7 @@ From 8a5e4f3cd784d18008e2f32f07cf7ab2f949c00a Mon Sep 17 00:00:00 2001 From: Vivek Goyal Date: Tue, 19 Jul 2016 14:34:58 -0400 -Subject: [PATCH 03/21] security,overlayfs: Provide security hook for copy up +Subject: [PATCH 03/24] security,overlayfs: Provide security hook for copy up of xattrs for overlay file Provide a security hook which is called when xattrs of a file are being @@ -125,5 +125,5 @@ index f2a7f27..a9e2bb9 100644 LIST_HEAD_INIT(security_hook_heads.file_permission), .file_alloc_security = -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch index e835151ca5..2091851e53 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch @@ -1,7 +1,7 @@ From 6f9f7038760f6ed22de9beb621d1dcd5259bfa00 Mon Sep 17 00:00:00 2001 From: Vivek Goyal Date: Tue, 19 Jul 2016 14:34:58 -0400 -Subject: [PATCH 04/21] selinux: Implementation for inode_copy_up_xattr() hook +Subject: [PATCH 04/24] selinux: Implementation for inode_copy_up_xattr() hook When a file is copied up in overlay, we have already created file on upper/ with right label and there is no need to copy up selinux label/xattr from @@ -49,5 +49,5 @@ index 264ee90..d30d7b3 100644 LSM_HOOK_INIT(file_permission, selinux_file_permission), LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch index 6676e27703..7f07df4d81 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch @@ -1,7 +1,7 @@ From 1104a4c8e3bdf480e5ca55b558a3812b5190bb84 Mon Sep 17 00:00:00 2001 From: Vivek Goyal Date: Tue, 19 Jul 2016 14:34:59 -0400 -Subject: [PATCH 05/21] selinux: Pass security pointer to +Subject: [PATCH 05/24] selinux: Pass security pointer to determine_inode_label() Right now selinux_determine_inode_label() works on security pointer of @@ -69,5 +69,5 @@ index d30d7b3..2bf0d00 100644 inode_mode_to_security_class(inode->i_mode), &newsid); -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch index 433242d4e5..43c722b245 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch @@ -1,7 +1,7 @@ From 6edae1670b755c5c747bdb30031ff9b24f2f585e Mon Sep 17 00:00:00 2001 From: Vivek Goyal Date: Tue, 19 Jul 2016 14:34:59 -0400 -Subject: [PATCH 06/21] security, overlayfs: Provide hook to correctly label +Subject: [PATCH 06/24] security, overlayfs: Provide hook to correctly label newly created files During a new file creation we need to make sure new file is created with the @@ -155,5 +155,5 @@ index a9e2bb9..69614f1 100644 .path_unlink = LIST_HEAD_INIT(security_hook_heads.path_unlink), .path_mkdir = LIST_HEAD_INIT(security_hook_heads.path_mkdir), -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch index 4a42fba5b5..a5d9cc2483 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch @@ -1,7 +1,7 @@ From d1d5776d41d3c426ccb6984206d20769ba1ad01f Mon Sep 17 00:00:00 2001 From: Vivek Goyal Date: Tue, 19 Jul 2016 14:34:59 -0400 -Subject: [PATCH 07/21] selinux: Implement dentry_create_files_as() hook +Subject: [PATCH 07/24] selinux: Implement dentry_create_files_as() hook Calculate what would be the label of newly created file and set that secid in the passed creds. @@ -56,5 +56,5 @@ index 2bf0d00..603b600 100644 LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch index a43b1d97c7..082b3eca21 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch @@ -1,7 +1,7 @@ From 14accb84196be11dbfc524cc24014f479c81e5e2 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 17:58:15 -0400 -Subject: [PATCH 08/21] Add secure_modules() call +Subject: [PATCH 08/24] Add secure_modules() call Provide a single call to allow kernel code to determine whether the system has been configured to either disable module loading entirely or to load @@ -59,5 +59,5 @@ index 529efae..0332fdd 100644 +} +EXPORT_SYMBOL(secure_modules); -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch index e5aac15f18..3d4a8c82ee 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch @@ -1,7 +1,7 @@ From c1a2f1afbbccfb4c5659b4dae4f82b442c38f57b Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:10:38 -0500 -Subject: [PATCH 09/21] PCI: Lock down BAR access when module security is +Subject: [PATCH 09/24] PCI: Lock down BAR access when module security is enabled Any hardware that can potentially generate DMA has to be locked down from @@ -114,5 +114,5 @@ index b91c4da..98f5637 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch index 5a50367a87..c5d49c0d2b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -1,7 +1,7 @@ From ef9962bc8d75916b7c2f70a4b13b53f3332efa40 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:35:59 -0500 -Subject: [PATCH 10/21] x86: Lock down IO port access when module security is +Subject: [PATCH 10/24] x86: Lock down IO port access when module security is enabled IO port access would permit users to gain access to PCI configuration @@ -68,5 +68,5 @@ index a33163d..48a2897 100644 return -EFAULT; while (count-- > 0 && i < 65536) { -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch index c025125866..8d9706d52f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch @@ -1,7 +1,7 @@ From d01d4b34ddae2cd731d4b8b08c53260a448806b6 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:39:37 -0500 -Subject: [PATCH 11/21] ACPI: Limit access to custom_method +Subject: [PATCH 11/24] ACPI: Limit access to custom_method custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. @@ -27,5 +27,5 @@ index c68e724..4277938 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch index e580ab7792..b89f5a6949 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch @@ -1,7 +1,7 @@ From 70e4a01956577b99322da3aa0ff3bc991fc23401 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:46:50 -0500 -Subject: [PATCH 12/21] asus-wmi: Restrict debugfs interface when module +Subject: [PATCH 12/24] asus-wmi: Restrict debugfs interface when module loading is restricted We have no way of validating what all of the Asus WMI methods do on a @@ -50,5 +50,5 @@ index 7c093a0..21fd6b8 100644 1, asus->debug.method_id, &input, &output); -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch index 2d11a5c2c4..8346f53c1a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -1,7 +1,7 @@ From c746f3492e8c039f9c85341d36cec803cbef9424 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 09:28:15 -0500 -Subject: [PATCH 13/21] Restrict /dev/mem and /dev/kmem when module loading is +Subject: [PATCH 13/24] Restrict /dev/mem and /dev/kmem when module loading is restricted Allowing users to write to address space makes it possible for the kernel @@ -38,5 +38,5 @@ index 48a2897..08a7bff 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch index 4b22190ab9..fd0f7c9c18 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch @@ -1,7 +1,7 @@ From 5f74d421b9177d8f92a9462771744e26713b3110 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 25 Jun 2012 19:57:30 -0400 -Subject: [PATCH 14/21] acpi: Ignore acpi_rsdp kernel parameter when module +Subject: [PATCH 14/24] acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted This option allows userspace to pass the RSDP address to the kernel, which @@ -35,5 +35,5 @@ index 4305ee9..fa1bcf0 100644 #endif -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch index 86588a4cf2..2445ceea73 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -1,7 +1,7 @@ From fb93701fdbfbe966ea426cc02e6cd0abdc4e955a Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 19 Nov 2015 18:55:53 -0800 -Subject: [PATCH 15/21] kexec: Disable at runtime if the kernel enforces module +Subject: [PATCH 15/24] kexec: Disable at runtime if the kernel enforces module loading restrictions kexec permits the loading and execution of arbitrary code in ring 0, which @@ -35,5 +35,5 @@ index 980936a..a0e4cb3 100644 /* -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch index d6b0ce1e7d..bd21391a56 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch @@ -1,7 +1,7 @@ From c707e9d71a1beeecf41e75936c89587b68734a35 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 8 Feb 2013 11:12:13 -0800 -Subject: [PATCH 16/21] x86: Restrict MSR access when module loading is +Subject: [PATCH 16/24] x86: Restrict MSR access when module loading is restricted Writing to MSRs should not be allowed if module loading is restricted, @@ -40,5 +40,5 @@ index 7f3550a..963ba40 100644 err = -EFAULT; break; -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch index 501c25ad97..6a4f3c462f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch @@ -1,7 +1,7 @@ From 22a7af2714d4dc7284c8070d305fb6d15a8f119b Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 18:36:30 -0400 -Subject: [PATCH 17/21] Add option to automatically enforce module signatures +Subject: [PATCH 17/24] Add option to automatically enforce module signatures when in Secure Boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will @@ -181,5 +181,5 @@ index 0332fdd..3f1ea6b 100644 { #ifdef CONFIG_MODULE_SIG -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch index c176039c80..eb327e4437 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch @@ -1,7 +1,7 @@ From 22710872487fdcb61445299f7cdd92d1b702fcc8 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:28:43 -0400 -Subject: [PATCH 18/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI +Subject: [PATCH 18/24] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI The functionality of the config option is dependent upon the platform being UEFI based. Reflect this in the config deps. @@ -26,5 +26,5 @@ index ba2c734..a5d6b58 100644 ---help--- UEFI Secure Boot provides a mechanism for ensuring that the -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch index 7257487ee8..c46ce7ffcd 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,7 +1,7 @@ From b0f4c9e56311b1d894766e815570b240f5c5edbe Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:33:03 -0400 -Subject: [PATCH 19/21] efi: Add EFI_SECURE_BOOT bit +Subject: [PATCH 19/24] efi: Add EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit for use with efi_enabled. @@ -39,5 +39,5 @@ index 0148a30..4b62b48 100644 #ifdef CONFIG_EFI /* -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch index 4bb0764bad..7e54b9cbf4 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch @@ -1,7 +1,7 @@ From f342c4af0fd094a2ab367c5b5bf019d41337e7e9 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 20 Jun 2014 08:53:24 -0400 -Subject: [PATCH 20/21] hibernate: Disable in a signed modules environment +Subject: [PATCH 20/24] hibernate: Disable in a signed modules environment There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, @@ -35,5 +35,5 @@ index 33c79b6..d1420be 100644 /** -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch index ac6dcebe8e..29df705f90 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch @@ -1,7 +1,7 @@ From fd0e3487c3e608c27b03adad678df805eff0811f Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Wed, 25 Nov 2015 02:59:45 -0800 -Subject: [PATCH 21/21] kbuild: derive relative path for KBUILD_SRC from CURDIR +Subject: [PATCH 21/24] kbuild: derive relative path for KBUILD_SRC from CURDIR This enables relocating source and build trees to different roots, provided they stay reachable relative to one another. Useful for @@ -26,5 +26,5 @@ index ace32d3..66cfbaa 100644 # Leave processing to above invocation of make -- -2.10.2 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-Revert-tty-serial-8250-add-CON_CONSDEV-to-flags.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-Revert-tty-serial-8250-add-CON_CONSDEV-to-flags.patch new file mode 100644 index 0000000000..8b2ce25df1 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-Revert-tty-serial-8250-add-CON_CONSDEV-to-flags.patch @@ -0,0 +1,40 @@ +From e47cbf707c26036420fec8846d07ec640b744c0e Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Sun, 11 Dec 2016 10:05:49 +0800 +Subject: [PATCH 22/24] Revert "tty: serial: 8250: add CON_CONSDEV to flags" + +This commit needs to be reverted because it prevents people from +using the serial console as a secondary console with input being +directed to tty0. + +IOW, if you boot with console=ttyS0 console=tty0 then all kernels +prior to this commit will produce output on both ttyS0 and tty0 +but input will only be taken from tty0. With this patch the serial +console will always be the primary console instead of tty0, +potentially preventing people from getting into their machines in +emergency situations. + +Fixes: d03516df8375 ("tty: serial: 8250: add CON_CONSDEV to flags") +Signed-off-by: Herbert Xu +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c +index dcf43f6..fa823a5 100644 +--- a/drivers/tty/serial/8250/8250_core.c ++++ b/drivers/tty/serial/8250/8250_core.c +@@ -675,7 +675,7 @@ static struct console univ8250_console = { + .device = uart_console_device, + .setup = univ8250_console_setup, + .match = univ8250_console_match, +- .flags = CON_PRINTBUFFER | CON_ANYTIME | CON_CONSDEV, ++ .flags = CON_PRINTBUFFER | CON_ANYTIME, + .index = -1, + .data = &serial8250_reg, + }; +-- +2.9.3 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-Add-arm64-coreos-verity-hash.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0023-Add-arm64-coreos-verity-hash.patch similarity index 82% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-Add-arm64-coreos-verity-hash.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0023-Add-arm64-coreos-verity-hash.patch index c6dbdf18c0..bd7ebe0b15 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-Add-arm64-coreos-verity-hash.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0023-Add-arm64-coreos-verity-hash.patch @@ -1,7 +1,7 @@ -From 4c66942f5f1ce010fbe028256940ea9d50eb069e Mon Sep 17 00:00:00 2001 +From e3614cf4156b5b9eb7eb9e1a1081260ca404b0fe Mon Sep 17 00:00:00 2001 From: Geoff Levand Date: Fri, 11 Nov 2016 17:28:52 -0800 -Subject: [PATCH] Add arm64 coreos verity hash +Subject: [PATCH 23/24] Add arm64 coreos verity hash Signed-off-by: Geoff Levand --- @@ -9,7 +9,7 @@ Signed-off-by: Geoff Levand 1 file changed, 5 insertions(+) diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S -index 332e331..964bae1 100644 +index 4d19508..b7ecaf9 100644 --- a/arch/arm64/kernel/head.S +++ b/arch/arm64/kernel/head.S @@ -195,6 +195,11 @@ section_table: @@ -25,5 +25,5 @@ index 332e331..964bae1 100644 * EFI will load .text onwards at the 4k section alignment * described in the PE/COFF header. To ensure that instruction -- -2.7.4 +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0023-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-within-user-namespaces.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0024-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch similarity index 88% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0023-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-within-user-namespaces.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0024-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch index 10af42ef5a..c5950710d8 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0023-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-within-user-namespaces.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0024-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch @@ -1,8 +1,8 @@ -From 01593d3299a1cfdb5e08acf95f63ec59dd674906 Mon Sep 17 00:00:00 2001 +From e5868fc1175409ad885926cbb66cb5dc5fc3e6fa Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Mon, 9 Jan 2017 10:07:31 -0500 -Subject: selinux: allow context mounts on tmpfs, ramfs, devpts within user - namespaces +Subject: [PATCH 24/24] selinux: allow context mounts on tmpfs, ramfs, devpts + within user namespaces commit aad82892af261b9903cc11c55be3ecf5f0b0b4f8 ("selinux: Add support for unprivileged mounts from user namespaces") prohibited any use of context @@ -31,10 +31,10 @@ Signed-off-by: Paul Moore 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index e4b953f..e32f4b5 100644 +index 603b600..feb29df 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c -@@ -834,10 +834,14 @@ static int selinux_set_mnt_opts(struct super_block *sb, +@@ -832,10 +832,14 @@ static int selinux_set_mnt_opts(struct super_block *sb, } /* @@ -53,5 +53,5 @@ index e4b953f..e32f4b5 100644 defcontext_sid) { rc = -EACCES; -- -cgit v0.12 +2.9.3