sys-kernel/coreos-sources: bump to 4.4.1

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.1.ebuild

@@ -37,6 +37,4 @@ UNIPATCH_LIST="
         ${PATCH_DIR}/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch \
         ${PATCH_DIR}/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
         ${PATCH_DIR}/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \
-        ${PATCH_DIR}/0022-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch \
 "
-

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0001-Add-secure_modules-call.patch

@@ -1,7 +1,7 @@
-From ed3da1ded7b7581a9a1dc2b48f8ddc7975f3ea67 Mon Sep 17 00:00:00 2001
+From 2e10f053682b2614c8689ab7cd792030adb37c3d Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 17:58:15 -0400
-Subject: [PATCH 01/22] Add secure_modules() call
+Subject: [PATCH 01/21] Add secure_modules() call
 
 Provide a single call to allow kernel code to determine whether the system
 has been configured to either disable module loading entirely or to load

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch

@@ -1,7 +1,7 @@
-From e797ce01ad3c0faa578734900a7c03ee04c06c08 Mon Sep 17 00:00:00 2001
+From 8161285fced6623edd4c66f9c2d3ece69014a392 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:10:38 -0500
-Subject: [PATCH 02/22] PCI: Lock down BAR access when module security is
+Subject: [PATCH 02/21] PCI: Lock down BAR access when module security is
  enabled
 
 Any hardware that can potentially generate DMA has to be locked down from

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch

@@ -1,7 +1,7 @@
-From e1e4b600d77353180227e93c3dda49ebde147578 Mon Sep 17 00:00:00 2001
+From f55838325eadbb393aaf61a61a177fd7ad2f0280 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:35:59 -0500
-Subject: [PATCH 03/22] x86: Lock down IO port access when module security is
+Subject: [PATCH 03/21] x86: Lock down IO port access when module security is
  enabled
 
 IO port access would permit users to gain access to PCI configuration

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0004-ACPI-Limit-access-to-custom_method.patch

@@ -1,7 +1,7 @@
-From 15647227ed911e525339ece57b4af9d369390bb0 Mon Sep 17 00:00:00 2001
+From 957b35947b86b16d1baadce8ec63db80bfb6466a Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:39:37 -0500
-Subject: [PATCH 04/22] ACPI: Limit access to custom_method
+Subject: [PATCH 04/21] ACPI: Limit access to custom_method
 
 custom_method effectively allows arbitrary access to system memory, making
 it possible for an attacker to circumvent restrictions on module loading.

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch

@@ -1,7 +1,7 @@
-From 5b0f82c10dd93fd281e5f31c01deea1f3e2af1d1 Mon Sep 17 00:00:00 2001
+From 86c4a0683e7310bad411a1834ce2b949d5bd4534 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:46:50 -0500
-Subject: [PATCH 05/22] asus-wmi: Restrict debugfs interface when module
+Subject: [PATCH 05/21] asus-wmi: Restrict debugfs interface when module
  loading is restricted
 
 We have no way of validating what all of the Asus WMI methods do on a

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch

@@ -1,7 +1,7 @@
-From 37f5217e456a13bb92814e515616b0524fbf0a89 Mon Sep 17 00:00:00 2001
+From 03bc662b54a1a5978a2c840eba182b28e65f0c81 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 09:28:15 -0500
-Subject: [PATCH 06/22] Restrict /dev/mem and /dev/kmem when module loading is
+Subject: [PATCH 06/21] Restrict /dev/mem and /dev/kmem when module loading is
  restricted
 
 Allowing users to write to address space makes it possible for the kernel

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch

@@ -1,7 +1,7 @@
-From f41415ab2cf92434113fbc97fc856ddd6e8a88da Mon Sep 17 00:00:00 2001
+From 16d485311fc3079de4f5b986f2fc2f7d70274f8d Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Mon, 25 Jun 2012 19:57:30 -0400
-Subject: [PATCH 07/22] acpi: Ignore acpi_rsdp kernel parameter when module
+Subject: [PATCH 07/21] acpi: Ignore acpi_rsdp kernel parameter when module
  loading is restricted
 
 This option allows userspace to pass the RSDP address to the kernel, which

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch

@@ -1,7 +1,7 @@
-From e227953c81434fb5156dd2504aeee7960c37a0ad Mon Sep 17 00:00:00 2001
+From 7d0d3cb705bb1ae5a739d0087e62844d3bec5e6f Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Thu, 19 Nov 2015 18:55:53 -0800
-Subject: [PATCH 08/22] kexec: Disable at runtime if the kernel enforces module
+Subject: [PATCH 08/21] kexec: Disable at runtime if the kernel enforces module
  loading restrictions
 
 kexec permits the loading and execution of arbitrary code in ring 0, which

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch

@@ -1,7 +1,7 @@
-From 1636adeff714c17d2c9a872e6be9b025df85ef64 Mon Sep 17 00:00:00 2001
+From c682c72e808feb7c4dcb42ecaae7016c13ce5610 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 8 Feb 2013 11:12:13 -0800
-Subject: [PATCH 09/22] x86: Restrict MSR access when module loading is
+Subject: [PATCH 09/21] x86: Restrict MSR access when module loading is
  restricted
 
 Writing to MSRs should not be allowed if module loading is restricted,

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0010-Add-option-to-automatically-enforce-module-signature.patch

@@ -1,7 +1,7 @@
-From f08b4a4b93bc28efe2d7aab38a6b44592d944dda Mon Sep 17 00:00:00 2001
+From abac45cbcaa27170eef195cb48c33a1b37071f2a Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH 10/22] Add option to automatically enforce module signatures
+Subject: [PATCH 10/21] Add option to automatically enforce module signatures
  when in Secure Boot mode
 
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch

@@ -1,7 +1,7 @@
-From 9bfe6c0b8200244a9517979dc06d3d7bcf8fde4a Mon Sep 17 00:00:00 2001
+From 76ba8b2fee84c6489316547f19d03a0485f59dc3 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:28:43 -0400
-Subject: [PATCH 11/22] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
+Subject: [PATCH 11/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
 
 The functionality of the config option is dependent upon the platform being
 UEFI based.  Reflect this in the config deps.

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0012-efi-Add-EFI_SECURE_BOOT-bit.patch

@@ -1,7 +1,7 @@
-From 1b435189fb66e031edc4df509576448a96b4c3ff Mon Sep 17 00:00:00 2001
+From 8d2a8d8ce61706a3a778ae9fd79cb5bab91a2817 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH 12/22] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 12/21] efi: Add EFI_SECURE_BOOT bit
 
 UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
 for use with efi_enabled.

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0013-hibernate-Disable-in-a-signed-modules-environment.patch

@@ -1,7 +1,7 @@
-From e62a3871237bb79ef5e51b112eff7d940cf06020 Mon Sep 17 00:00:00 2001
+From b671df07aed28fcbc9e470b52b8c1822f78303c0 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [PATCH 13/22] hibernate: Disable in a signed modules environment
+Subject: [PATCH 13/21] hibernate: Disable in a signed modules environment
 
 There is currently no way to verify the resume image when returning
 from hibernate.  This might compromise the signed modules trust model,

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch

@@ -1,7 +1,7 @@
-From 70aadec167cb84865c6e85c1eccc218a024f86ef Mon Sep 17 00:00:00 2001
+From 9cb22840851be7a7f842229e6603a6b4b25e824d Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:31 +0100
-Subject: [PATCH 14/22] Security: Provide copy-up security hooks for unioned
+Subject: [PATCH 14/21] Security: Provide copy-up security hooks for unioned
  files
 
 Provide two new security hooks for use with security files that are used when

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0015-Overlayfs-Use-copy-up-security-hooks.patch

@@ -1,7 +1,7 @@
-From 2e1d35fb4b10cafc0dac63436f94fda8b4e738ee Mon Sep 17 00:00:00 2001
+From 64ef0efdd90f5aae4fae7c76783b09af53d29dfe Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:31 +0100
-Subject: [PATCH 15/22] Overlayfs: Use copy-up security hooks
+Subject: [PATCH 15/21] Overlayfs: Use copy-up security hooks
 
 Use the copy-up security hooks previously provided to allow an LSM to adjust
 the security on a newly created copy and to filter the xattrs copied to that

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0016-SELinux-Stub-in-copy-up-handling.patch

@@ -1,7 +1,7 @@
-From df782b85901bc5a1e1d5c90895b0166cb7ba6260 Mon Sep 17 00:00:00 2001
+From 38d19edb9bae02a9e78b26a7b2c4f0980ee13ee3 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
-Subject: [PATCH 16/22] SELinux: Stub in copy-up handling
+Subject: [PATCH 16/21] SELinux: Stub in copy-up handling
 
 Provide stubs for union/overlay copy-up handling.  The xattr copy up stub
 discards lower SELinux xattrs rather than letting them be copied up so that

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0017-SELinux-Handle-opening-of-a-unioned-file.patch

@@ -1,7 +1,7 @@
-From ce05f979bd98e5f267330f47d9a26bbb138dc54f Mon Sep 17 00:00:00 2001
+From 3e6ccc54dd0383a8c57287f9e63f392595e28cb1 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
-Subject: [PATCH 17/22] SELinux: Handle opening of a unioned file
+Subject: [PATCH 17/21] SELinux: Handle opening of a unioned file
 
 Handle the opening of a unioned file by trying to derive the label that would
 be attached to the union-layer inode if it doesn't exist.

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0018-SELinux-Check-against-union-label-for-file-operation.patch

@@ -1,7 +1,7 @@
-From f60b70463bb7493f60a27ac2d06058da87b062d9 Mon Sep 17 00:00:00 2001
+From 7b0a1257f4b4a35f087db9120b684d3a9c8181e5 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
-Subject: [PATCH 18/22] SELinux: Check against union label for file operations
+Subject: [PATCH 18/21] SELinux: Check against union label for file operations
 
 File operations (eg. read, write) issued against a file that is attached to
 the lower layer of a union file needs to be checked against the union-layer

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch

@@ -1,7 +1,7 @@
-From 116f798bcf3fd2ce4965cb15ec44c8180f0428c1 Mon Sep 17 00:00:00 2001
+From 7505098adc7a76c3d001831af40f39c86d624a67 Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Mon, 19 Oct 2015 17:53:12 -0700
-Subject: [PATCH 19/22] overlayfs: use a minimal buffer in ovl_copy_xattr
+Subject: [PATCH 19/21] overlayfs: use a minimal buffer in ovl_copy_xattr
 
 Rather than always allocating the high-order XATTR_SIZE_MAX buffer
 which is costly and prone to failure, only allocate what is needed and

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch

@@ -1,7 +1,7 @@
-From 6f682c2c88f74b45c3692a994d90ed51412b932b Mon Sep 17 00:00:00 2001
+From b0a4a60266e116f35e31a2054d9769f23dc88a95 Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 20/22] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 20/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
@@ -12,7 +12,7 @@ by some undesirable path component.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 70dea02..987d283 100644
+index c6a265b..8125380 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -143,7 +143,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch

@@ -1,7 +1,7 @@
-From 06ccab87d8c415e51bcf69e34bb27712bad8398f Mon Sep 17 00:00:00 2001
+From 196c562e9a0ef9a1580f35c014ee7f4669cfb5d7 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Tue, 22 Dec 2015 07:43:52 +0000
-Subject: [PATCH 21/22] Don't verify write permissions on lower inodes on
+Subject: [PATCH 21/21] Don't verify write permissions on lower inodes on
  overlayfs
 
 If a user opens a file r/w on overlayfs, and if the underlying inode is

sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0022-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch

@@ -1,75 +0,0 @@
-From fc94e26e760f2e752aa55f7b2d58fdcbeeef433e Mon Sep 17 00:00:00 2001
-From: Yevgeny Pats <yevgeny@perception-point.io>
-Date: Mon, 11 Jan 2016 12:05:28 +0000
-Subject: [PATCH 22/22] KEYS: Fix keyring ref leak in join_session_keyring()
-
-If a thread is asked to join as a session keyring the keyring that's already
-set as its session, we leak a keyring reference.
-
-This can be tested with the following program:
-
-	#include <stddef.h>
-	#include <stdio.h>
-	#include <sys/types.h>
-	#include <keyutils.h>
-
-	int main(int argc, const char *argv[])
-	{
-		int i = 0;
-		key_serial_t serial;
-
-		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
-				"leaked-keyring");
-		if (serial < 0) {
-			perror("keyctl");
-			return -1;
-		}
-
-		if (keyctl(KEYCTL_SETPERM, serial,
-			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
-			perror("keyctl");
-			return -1;
-		}
-
-		for (i = 0; i < 100; i++) {
-			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
-					"leaked-keyring");
-			if (serial < 0) {
-				perror("keyctl");
-				return -1;
-			}
-		}
-
-		return 0;
-	}
-
-If, after the program has run, there something like the following line in
-/proc/keys:
-
-3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
-
-with a usage count of 100 * the number of times the program has been run,
-then the kernel is malfunctioning.  If leaked-keyring has zero usages or
-has been garbage collected, then the problem is fixed.
-
-Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- security/keys/process_keys.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index a3f85d2..e6d50172 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
- 		ret = PTR_ERR(keyring);
- 		goto error2;
- 	} else if (keyring == new->session_keyring) {
-+		key_put(keyring);
- 		ret = 0;
- 		goto error2;
- 	}
--- 
-2.4.10
-