Merge pull request #2417 from bgilbert/tty0

sys-kernel/coreos-sources: Stop routing primary console to ttyS0
2025-08-23 15:31:05 +02:00 · 2017-02-08 12:11:53 -08:00 · 2017-02-08 12:11:53 -08:00 · efb914596c
commit efb914596c
parent 8d9d15aafd 2c93229944
28 changed files with 143 additions and 102 deletions
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.8.17-r3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.8.17-r3.ebuild
@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 EAPI=5
-COREOS_SOURCE_REVISION="-r1"
+COREOS_SOURCE_REVISION="-r2"
 inherit coreos-kernel
 DESCRIPTION="CoreOS Linux kernel"
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.8.17-r3.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.8.17-r3.ebuild
@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 EAPI=5
-COREOS_SOURCE_REVISION="-r1"
+COREOS_SOURCE_REVISION="-r2"
 inherit coreos-kernel savedconfig
 DESCRIPTION="CoreOS Linux kernel modules"
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.17-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.17-r1.ebuild
@ -1,48 +0,0 @@
 # Copyright 2014 CoreOS, Inc.
 # Distributed under the terms of the GNU General Public License v2
 EAPI="5"
 ETYPE="sources"
 inherit kernel-2
 detect_version
 DESCRIPTION="Full sources for the CoreOS Linux kernel"
 HOMEPAGE="http://www.kernel.org"
 SRC_URI="${KERNEL_URI}"
 KEYWORDS="amd64 arm64"
 IUSE=""
 PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
 # XXX: Note we must prefix the patch filenames with "z" to ensure they are
 # applied _after_ a potential patch-${KV}.patch file, present when building a
 # patchlevel revision.  We mustn't apply our patches first, it fails when the
 # local patches overlap with the upstream patch.
 # in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g'
 UNIPATCH_LIST="
        ${PATCH_DIR}/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch \
        ${PATCH_DIR}/z0002-selinux-Implementation-for-inode_copy_up-hook.patch \
        ${PATCH_DIR}/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch \
        ${PATCH_DIR}/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch \
        ${PATCH_DIR}/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch \
        ${PATCH_DIR}/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch \
        ${PATCH_DIR}/z0007-selinux-Implement-dentry_create_files_as-hook.patch \
        ${PATCH_DIR}/z0008-Add-secure_modules-call.patch \
        ${PATCH_DIR}/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
        ${PATCH_DIR}/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch \
        ${PATCH_DIR}/z0011-ACPI-Limit-access-to-custom_method.patch \
        ${PATCH_DIR}/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
        ${PATCH_DIR}/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
        ${PATCH_DIR}/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
        ${PATCH_DIR}/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
        ${PATCH_DIR}/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
        ${PATCH_DIR}/z0017-Add-option-to-automatically-enforce-module-signature.patch \
        ${PATCH_DIR}/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
        ${PATCH_DIR}/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch \
        ${PATCH_DIR}/z0020-hibernate-Disable-in-a-signed-modules-environment.patch \
        ${PATCH_DIR}/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
        ${PATCH_DIR}/z0022-Add-arm64-coreos-verity-hash.patch \
        ${PATCH_DIR}/z0023-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-within-user-namespaces.patch \
 "
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.17-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.17-r2.ebuild
@ -0,0 +1,49 @@
 # Copyright 2014 CoreOS, Inc.
 # Distributed under the terms of the GNU General Public License v2
 EAPI="5"
 ETYPE="sources"
 inherit kernel-2
 detect_version
 DESCRIPTION="Full sources for the CoreOS Linux kernel"
 HOMEPAGE="http://www.kernel.org"
 SRC_URI="${KERNEL_URI}"
 KEYWORDS="amd64 arm64"
 IUSE=""
 PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}"
 # XXX: Note we must prefix the patch filenames with "z" to ensure they are
 # applied _after_ a potential patch-${KV}.patch file, present when building a
 # patchlevel revision.  We mustn't apply our patches first, it fails when the
 # local patches overlap with the upstream patch.
 # in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g'
 UNIPATCH_LIST="
 	${PATCH_DIR}/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch \
 	${PATCH_DIR}/z0002-selinux-Implementation-for-inode_copy_up-hook.patch \
 	${PATCH_DIR}/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch \
 	${PATCH_DIR}/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch \
 	${PATCH_DIR}/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch \
 	${PATCH_DIR}/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch \
 	${PATCH_DIR}/z0007-selinux-Implement-dentry_create_files_as-hook.patch \
 	${PATCH_DIR}/z0008-Add-secure_modules-call.patch \
 	${PATCH_DIR}/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \
 	${PATCH_DIR}/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch \
 	${PATCH_DIR}/z0011-ACPI-Limit-access-to-custom_method.patch \
 	${PATCH_DIR}/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \
 	${PATCH_DIR}/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \
 	${PATCH_DIR}/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \
 	${PATCH_DIR}/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \
 	${PATCH_DIR}/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \
 	${PATCH_DIR}/z0017-Add-option-to-automatically-enforce-module-signature.patch \
 	${PATCH_DIR}/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \
 	${PATCH_DIR}/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch \
 	${PATCH_DIR}/z0020-hibernate-Disable-in-a-signed-modules-environment.patch \
 	${PATCH_DIR}/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
 	${PATCH_DIR}/z0022-Revert-tty-serial-8250-add-CON_CONSDEV-to-flags.patch \
 	${PATCH_DIR}/z0023-Add-arm64-coreos-verity-hash.patch \
 	${PATCH_DIR}/z0024-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch \
 "
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch
@ -1,7 +1,7 @@
 From 72f2135b077dd2e44d5bbd6b39194d009aeb2af2 Mon Sep 17 00:00:00 2001
 From: Vivek Goyal <vgoyal@redhat.com>
 Date: Tue, 19 Jul 2016 14:34:57 -0400
-Subject: [PATCH 01/21] security, overlayfs: provide copy up security hook for
+Subject: [PATCH 01/24] security, overlayfs: provide copy up security hook for
 unioned files
 Provide a security hook to label new file correctly when a file is copied
@ -144,5 +144,5 @@ index 4838e7f..f2a7f27 100644
 		LIST_HEAD_INIT(security_hook_heads.file_permission),
 	.file_alloc_security =
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch
@ -1,7 +1,7 @@
 From b45eb80e5b2412980d38d2ea00aabc3057a91a05 Mon Sep 17 00:00:00 2001
 From: Vivek Goyal <vgoyal@redhat.com>
 Date: Tue, 19 Jul 2016 14:34:58 -0400
-Subject: [PATCH 02/21] selinux: Implementation for inode_copy_up() hook
+Subject: [PATCH 02/24] selinux: Implementation for inode_copy_up() hook
 A file is being copied up for overlay file system. Prepare a new set of
 creds and set create_sid appropriately so that new file is created with
@ -58,5 +58,5 @@ index 13185a6..264ee90 100644
 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch
@ -1,7 +1,7 @@
 From 8a5e4f3cd784d18008e2f32f07cf7ab2f949c00a Mon Sep 17 00:00:00 2001
 From: Vivek Goyal <vgoyal@redhat.com>
 Date: Tue, 19 Jul 2016 14:34:58 -0400
-Subject: [PATCH 03/21] security,overlayfs: Provide security hook for copy up
+Subject: [PATCH 03/24] security,overlayfs: Provide security hook for copy up
 of xattrs for overlay file
 Provide a security hook which is called when xattrs of a file are being
@ -125,5 +125,5 @@ index f2a7f27..a9e2bb9 100644
 		LIST_HEAD_INIT(security_hook_heads.file_permission),
 	.file_alloc_security =
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch
@ -1,7 +1,7 @@
 From 6f9f7038760f6ed22de9beb621d1dcd5259bfa00 Mon Sep 17 00:00:00 2001
 From: Vivek Goyal <vgoyal@redhat.com>
 Date: Tue, 19 Jul 2016 14:34:58 -0400
-Subject: [PATCH 04/21] selinux: Implementation for inode_copy_up_xattr() hook
+Subject: [PATCH 04/24] selinux: Implementation for inode_copy_up_xattr() hook
 When a file is copied up in overlay, we have already created file on upper/
 with right label and there is no need to copy up selinux label/xattr from
@ -49,5 +49,5 @@ index 264ee90..d30d7b3 100644
 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch
@ -1,7 +1,7 @@
 From 1104a4c8e3bdf480e5ca55b558a3812b5190bb84 Mon Sep 17 00:00:00 2001
 From: Vivek Goyal <vgoyal@redhat.com>
 Date: Tue, 19 Jul 2016 14:34:59 -0400
-Subject: [PATCH 05/21] selinux: Pass security pointer to
+Subject: [PATCH 05/24] selinux: Pass security pointer to
 determine_inode_label()
 Right now selinux_determine_inode_label() works on security pointer of
@ -69,5 +69,5 @@ index d30d7b3..2bf0d00 100644
 		inode_mode_to_security_class(inode->i_mode),
 		&newsid);
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch
@ -1,7 +1,7 @@
 From 6edae1670b755c5c747bdb30031ff9b24f2f585e Mon Sep 17 00:00:00 2001
 From: Vivek Goyal <vgoyal@redhat.com>
 Date: Tue, 19 Jul 2016 14:34:59 -0400
-Subject: [PATCH 06/21] security, overlayfs: Provide hook to correctly label
+Subject: [PATCH 06/24] security, overlayfs: Provide hook to correctly label
 newly created files
 During a new file creation we need to make sure new file is created with the
@ -155,5 +155,5 @@ index a9e2bb9..69614f1 100644
 	.path_unlink =	LIST_HEAD_INIT(security_hook_heads.path_unlink),
 	.path_mkdir =	LIST_HEAD_INIT(security_hook_heads.path_mkdir),
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch
@ -1,7 +1,7 @@
 From d1d5776d41d3c426ccb6984206d20769ba1ad01f Mon Sep 17 00:00:00 2001
 From: Vivek Goyal <vgoyal@redhat.com>
 Date: Tue, 19 Jul 2016 14:34:59 -0400
-Subject: [PATCH 07/21] selinux: Implement dentry_create_files_as() hook
+Subject: [PATCH 07/24] selinux: Implement dentry_create_files_as() hook
 Calculate what would be the label of newly created file and set that secid
 in the passed creds.
@ -56,5 +56,5 @@ index 2bf0d00..603b600 100644
 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch
@ -1,7 +1,7 @@
 From 14accb84196be11dbfc524cc24014f479c81e5e2 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 17:58:15 -0400
-Subject: [PATCH 08/21] Add secure_modules() call
+Subject: [PATCH 08/24] Add secure_modules() call
 Provide a single call to allow kernel code to determine whether the system
 has been configured to either disable module loading entirely or to load
@ -59,5 +59,5 @@ index 529efae..0332fdd 100644
 +}
 +EXPORT_SYMBOL(secure_modules);
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
@ -1,7 +1,7 @@
 From c1a2f1afbbccfb4c5659b4dae4f82b442c38f57b Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:10:38 -0500
-Subject: [PATCH 09/21] PCI: Lock down BAR access when module security is
+Subject: [PATCH 09/24] PCI: Lock down BAR access when module security is
 enabled
 Any hardware that can potentially generate DMA has to be locked down from
@ -114,5 +114,5 @@ index b91c4da..98f5637 100644
 	dev = pci_get_bus_and_slot(bus, dfn);
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch
@ -1,7 +1,7 @@
 From ef9962bc8d75916b7c2f70a4b13b53f3332efa40 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:35:59 -0500
-Subject: [PATCH 10/21] x86: Lock down IO port access when module security is
+Subject: [PATCH 10/24] x86: Lock down IO port access when module security is
 enabled
 IO port access would permit users to gain access to PCI configuration
@ -68,5 +68,5 @@ index a33163d..48a2897 100644
 		return -EFAULT;
 	while (count-- > 0 && i < 65536) {
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch
@ -1,7 +1,7 @@
 From d01d4b34ddae2cd731d4b8b08c53260a448806b6 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:39:37 -0500
-Subject: [PATCH 11/21] ACPI: Limit access to custom_method
+Subject: [PATCH 11/24] ACPI: Limit access to custom_method
 custom_method effectively allows arbitrary access to system memory, making
 it possible for an attacker to circumvent restrictions on module loading.
@ -27,5 +27,5 @@ index c68e724..4277938 100644
 		/* parse the table header to get the table length */
 		if (count <= sizeof(struct acpi_table_header))
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch
@ -1,7 +1,7 @@
 From 70e4a01956577b99322da3aa0ff3bc991fc23401 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:46:50 -0500
-Subject: [PATCH 12/21] asus-wmi: Restrict debugfs interface when module
+Subject: [PATCH 12/24] asus-wmi: Restrict debugfs interface when module
 loading is restricted
 We have no way of validating what all of the Asus WMI methods do on a
@ -50,5 +50,5 @@ index 7c093a0..21fd6b8 100644
 				     1, asus->debug.method_id,
 				     &input, &output);
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
@ -1,7 +1,7 @@
 From c746f3492e8c039f9c85341d36cec803cbef9424 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 09:28:15 -0500
-Subject: [PATCH 13/21] Restrict /dev/mem and /dev/kmem when module loading is
+Subject: [PATCH 13/24] Restrict /dev/mem and /dev/kmem when module loading is
 restricted
 Allowing users to write to address space makes it possible for the kernel
@ -38,5 +38,5 @@ index 48a2897..08a7bff 100644
 		unsigned long to_write = min_t(unsigned long, count,
 					       (unsigned long)high_memory - p);
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
@ -1,7 +1,7 @@
 From 5f74d421b9177d8f92a9462771744e26713b3110 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Mon, 25 Jun 2012 19:57:30 -0400
-Subject: [PATCH 14/21] acpi: Ignore acpi_rsdp kernel parameter when module
+Subject: [PATCH 14/24] acpi: Ignore acpi_rsdp kernel parameter when module
 loading is restricted
 This option allows userspace to pass the RSDP address to the kernel, which
@ -35,5 +35,5 @@ index 4305ee9..fa1bcf0 100644
 #endif
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
@ -1,7 +1,7 @@
 From fb93701fdbfbe966ea426cc02e6cd0abdc4e955a Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Thu, 19 Nov 2015 18:55:53 -0800
-Subject: [PATCH 15/21] kexec: Disable at runtime if the kernel enforces module
+Subject: [PATCH 15/24] kexec: Disable at runtime if the kernel enforces module
 loading restrictions
 kexec permits the loading and execution of arbitrary code in ring 0, which
@ -35,5 +35,5 @@ index 980936a..a0e4cb3 100644
 	/*
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch
@ -1,7 +1,7 @@
 From c707e9d71a1beeecf41e75936c89587b68734a35 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 8 Feb 2013 11:12:13 -0800
-Subject: [PATCH 16/21] x86: Restrict MSR access when module loading is
+Subject: [PATCH 16/24] x86: Restrict MSR access when module loading is
 restricted
 Writing to MSRs should not be allowed if module loading is restricted,
@ -40,5 +40,5 @@ index 7f3550a..963ba40 100644
 			err = -EFAULT;
 			break;
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch
@ -1,7 +1,7 @@
 From 22a7af2714d4dc7284c8070d305fb6d15a8f119b Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH 17/21] Add option to automatically enforce module signatures
+Subject: [PATCH 17/24] Add option to automatically enforce module signatures
 when in Secure Boot mode
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will
@ -181,5 +181,5 @@ index 0332fdd..3f1ea6b 100644
 {
 #ifdef CONFIG_MODULE_SIG
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
@ -1,7 +1,7 @@
 From 22710872487fdcb61445299f7cdd92d1b702fcc8 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:28:43 -0400
-Subject: [PATCH 18/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
+Subject: [PATCH 18/24] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
 The functionality of the config option is dependent upon the platform being
 UEFI based.  Reflect this in the config deps.
@ -26,5 +26,5 @@ index ba2c734..a5d6b58 100644
 	---help---
 	  UEFI Secure Boot provides a mechanism for ensuring that the
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch
@ -1,7 +1,7 @@
 From b0f4c9e56311b1d894766e815570b240f5c5edbe Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH 19/21] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 19/24] efi: Add EFI_SECURE_BOOT bit
 UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
 for use with efi_enabled.
@ -39,5 +39,5 @@ index 0148a30..4b62b48 100644
 #ifdef CONFIG_EFI
 /*
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch
@ -1,7 +1,7 @@
 From f342c4af0fd094a2ab367c5b5bf019d41337e7e9 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [PATCH 20/21] hibernate: Disable in a signed modules environment
+Subject: [PATCH 20/24] hibernate: Disable in a signed modules environment
 There is currently no way to verify the resume image when returning
 from hibernate.  This might compromise the signed modules trust model,
@ -35,5 +35,5 @@ index 33c79b6..d1420be 100644
 /**
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
@ -1,7 +1,7 @@
 From fd0e3487c3e608c27b03adad678df805eff0811f Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 21/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 21/24] kbuild: derive relative path for KBUILD_SRC from CURDIR
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
@ -26,5 +26,5 @@ index ace32d3..66cfbaa 100644
 # Leave processing to above invocation of make
 -- 
-2.10.2
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-Revert-tty-serial-8250-add-CON_CONSDEV-to-flags.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-Revert-tty-serial-8250-add-CON_CONSDEV-to-flags.patch
@ -0,0 +1,40 @@
 From e47cbf707c26036420fec8846d07ec640b744c0e Mon Sep 17 00:00:00 2001
 From: Herbert Xu <herbert@gondor.apana.org.au>
 Date: Sun, 11 Dec 2016 10:05:49 +0800
 Subject: [PATCH 22/24] Revert "tty: serial: 8250: add CON_CONSDEV to flags"
 This commit needs to be reverted because it prevents people from
 using the serial console as a secondary console with input being
 directed to tty0.
 IOW, if you boot with console=ttyS0 console=tty0 then all kernels
 prior to this commit will produce output on both ttyS0 and tty0
 but input will only be taken from tty0.  With this patch the serial
 console will always be the primary console instead of tty0,
 potentially preventing people from getting into their machines in
 emergency situations.
 Fixes: d03516df8375 ("tty: serial: 8250: add CON_CONSDEV to flags")
 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
 Cc: stable <stable@vger.kernel.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
 drivers/tty/serial/8250/8250_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c
 index dcf43f6..fa823a5 100644
 --- a/drivers/tty/serial/8250/8250_core.c
 +++ b/drivers/tty/serial/8250/8250_core.c
@@ -675,7 +675,7 @@ static struct console univ8250_console = {
 	.device		= uart_console_device,
 	.setup		= univ8250_console_setup,
 	.match		= univ8250_console_match,
 -	.flags		= CON_PRINTBUFFER | CON_ANYTIME | CON_CONSDEV,
 +	.flags		= CON_PRINTBUFFER | CON_ANYTIME,
 	.index		= -1,
 	.data		= &serial8250_reg,
 };
 -- 
 2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0023-Add-arm64-coreos-verity-hash.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0023-Add-arm64-coreos-verity-hash.patch
@ -1,7 +1,7 @@
-From 4c66942f5f1ce010fbe028256940ea9d50eb069e Mon Sep 17 00:00:00 2001
+From e3614cf4156b5b9eb7eb9e1a1081260ca404b0fe Mon Sep 17 00:00:00 2001
 From: Geoff Levand <geoff@infradead.org>
 Date: Fri, 11 Nov 2016 17:28:52 -0800
-Subject: [PATCH] Add arm64 coreos verity hash
+Subject: [PATCH 23/24] Add arm64 coreos verity hash
 Signed-off-by: Geoff Levand <geoff@infradead.org>
 ---
@ -9,7 +9,7 @@ Signed-off-by: Geoff Levand <geoff@infradead.org>
 1 file changed, 5 insertions(+)
 diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S
-index 332e331..964bae1 100644
+index 4d19508..b7ecaf9 100644
 --- a/arch/arm64/kernel/head.S
 +++ b/arch/arm64/kernel/head.S
@@ -195,6 +195,11 @@ section_table:
@ -25,5 +25,5 @@ index 332e331..964bae1 100644
 	 * EFI will load .text onwards at the 4k section alignment
 	 * described in the PE/COFF header. To ensure that instruction
 -- 
-2.7.4
+2.9.3
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0023-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-within-user-namespaces.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0023-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-within-user-namespaces.patch
@ -1,8 +1,8 @@
-From 01593d3299a1cfdb5e08acf95f63ec59dd674906 Mon Sep 17 00:00:00 2001
+From e5868fc1175409ad885926cbb66cb5dc5fc3e6fa Mon Sep 17 00:00:00 2001
 From: Stephen Smalley <sds@tycho.nsa.gov>
 Date: Mon, 9 Jan 2017 10:07:31 -0500
-Subject: selinux: allow context mounts on tmpfs, ramfs, devpts within user
+Subject: [PATCH 24/24] selinux: allow context mounts on tmpfs, ramfs, devpts
- namespaces
+ within user namespaces
 commit aad82892af261b9903cc11c55be3ecf5f0b0b4f8 ("selinux: Add support for
 unprivileged mounts from user namespaces") prohibited any use of context
@ -31,10 +31,10 @@ Signed-off-by: Paul Moore <paul@paul-moore.com>
 1 file changed, 7 insertions(+), 3 deletions(-)
 diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index e4b953f..e32f4b5 100644
+index 603b600..feb29df 100644
 --- a/security/selinux/hooks.c
 +++ b/security/selinux/hooks.c
-@@ -834,10 +834,14 @@ static int selinux_set_mnt_opts(struct super_block *sb,
+@@ -832,10 +832,14 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	}
 	/*
@ -53,5 +53,5 @@ index e4b953f..e32f4b5 100644
 		    defcontext_sid) {
 			rc = -EACCES;
 -- 
-cgit v0.12
+2.9.3