mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-23 15:31:05 +02:00
sys-kernel/coreos-sources: bump to 4.4.1
This commit is contained in:
Alex Crawford
parent
1f80337458
commit
f11fdc61bb
@ -37,6 +37,4 @@ UNIPATCH_LIST="
|
||||
${PATCH_DIR}/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch \
|
||||
${PATCH_DIR}/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \
|
||||
${PATCH_DIR}/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch \
|
||||
${PATCH_DIR}/0022-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch \
|
||||
"
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From ed3da1ded7b7581a9a1dc2b48f8ddc7975f3ea67 Mon Sep 17 00:00:00 2001
|
||||
From 2e10f053682b2614c8689ab7cd792030adb37c3d Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 17:58:15 -0400
|
||||
Subject: [PATCH 01/22] Add secure_modules() call
|
||||
Subject: [PATCH 01/21] Add secure_modules() call
|
||||
|
||||
Provide a single call to allow kernel code to determine whether the system
|
||||
has been configured to either disable module loading entirely or to load
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From e797ce01ad3c0faa578734900a7c03ee04c06c08 Mon Sep 17 00:00:00 2001
|
||||
From 8161285fced6623edd4c66f9c2d3ece69014a392 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Thu, 8 Mar 2012 10:10:38 -0500
|
||||
Subject: [PATCH 02/22] PCI: Lock down BAR access when module security is
|
||||
Subject: [PATCH 02/21] PCI: Lock down BAR access when module security is
|
||||
enabled
|
||||
|
||||
Any hardware that can potentially generate DMA has to be locked down from
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From e1e4b600d77353180227e93c3dda49ebde147578 Mon Sep 17 00:00:00 2001
|
||||
From f55838325eadbb393aaf61a61a177fd7ad2f0280 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Thu, 8 Mar 2012 10:35:59 -0500
|
||||
Subject: [PATCH 03/22] x86: Lock down IO port access when module security is
|
||||
Subject: [PATCH 03/21] x86: Lock down IO port access when module security is
|
||||
enabled
|
||||
|
||||
IO port access would permit users to gain access to PCI configuration
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 15647227ed911e525339ece57b4af9d369390bb0 Mon Sep 17 00:00:00 2001
|
||||
From 957b35947b86b16d1baadce8ec63db80bfb6466a Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 08:39:37 -0500
|
||||
Subject: [PATCH 04/22] ACPI: Limit access to custom_method
|
||||
Subject: [PATCH 04/21] ACPI: Limit access to custom_method
|
||||
|
||||
custom_method effectively allows arbitrary access to system memory, making
|
||||
it possible for an attacker to circumvent restrictions on module loading.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 5b0f82c10dd93fd281e5f31c01deea1f3e2af1d1 Mon Sep 17 00:00:00 2001
|
||||
From 86c4a0683e7310bad411a1834ce2b949d5bd4534 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 08:46:50 -0500
|
||||
Subject: [PATCH 05/22] asus-wmi: Restrict debugfs interface when module
|
||||
Subject: [PATCH 05/21] asus-wmi: Restrict debugfs interface when module
|
||||
loading is restricted
|
||||
|
||||
We have no way of validating what all of the Asus WMI methods do on a
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 37f5217e456a13bb92814e515616b0524fbf0a89 Mon Sep 17 00:00:00 2001
|
||||
From 03bc662b54a1a5978a2c840eba182b28e65f0c81 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Mar 2012 09:28:15 -0500
|
||||
Subject: [PATCH 06/22] Restrict /dev/mem and /dev/kmem when module loading is
|
||||
Subject: [PATCH 06/21] Restrict /dev/mem and /dev/kmem when module loading is
|
||||
restricted
|
||||
|
||||
Allowing users to write to address space makes it possible for the kernel
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From f41415ab2cf92434113fbc97fc856ddd6e8a88da Mon Sep 17 00:00:00 2001
|
||||
From 16d485311fc3079de4f5b986f2fc2f7d70274f8d Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@redhat.com>
|
||||
Date: Mon, 25 Jun 2012 19:57:30 -0400
|
||||
Subject: [PATCH 07/22] acpi: Ignore acpi_rsdp kernel parameter when module
|
||||
Subject: [PATCH 07/21] acpi: Ignore acpi_rsdp kernel parameter when module
|
||||
loading is restricted
|
||||
|
||||
This option allows userspace to pass the RSDP address to the kernel, which
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From e227953c81434fb5156dd2504aeee7960c37a0ad Mon Sep 17 00:00:00 2001
|
||||
From 7d0d3cb705bb1ae5a739d0087e62844d3bec5e6f Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg59@coreos.com>
|
||||
Date: Thu, 19 Nov 2015 18:55:53 -0800
|
||||
Subject: [PATCH 08/22] kexec: Disable at runtime if the kernel enforces module
|
||||
Subject: [PATCH 08/21] kexec: Disable at runtime if the kernel enforces module
|
||||
loading restrictions
|
||||
|
||||
kexec permits the loading and execution of arbitrary code in ring 0, which
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 1636adeff714c17d2c9a872e6be9b025df85ef64 Mon Sep 17 00:00:00 2001
|
||||
From c682c72e808feb7c4dcb42ecaae7016c13ce5610 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 8 Feb 2013 11:12:13 -0800
|
||||
Subject: [PATCH 09/22] x86: Restrict MSR access when module loading is
|
||||
Subject: [PATCH 09/21] x86: Restrict MSR access when module loading is
|
||||
restricted
|
||||
|
||||
Writing to MSRs should not be allowed if module loading is restricted,
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From f08b4a4b93bc28efe2d7aab38a6b44592d944dda Mon Sep 17 00:00:00 2001
|
||||
From abac45cbcaa27170eef195cb48c33a1b37071f2a Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <matthew.garrett@nebula.com>
|
||||
Date: Fri, 9 Aug 2013 18:36:30 -0400
|
||||
Subject: [PATCH 10/22] Add option to automatically enforce module signatures
|
||||
Subject: [PATCH 10/21] Add option to automatically enforce module signatures
|
||||
when in Secure Boot mode
|
||||
|
||||
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 9bfe6c0b8200244a9517979dc06d3d7bcf8fde4a Mon Sep 17 00:00:00 2001
|
||||
From 76ba8b2fee84c6489316547f19d03a0485f59dc3 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 27 Aug 2013 13:28:43 -0400
|
||||
Subject: [PATCH 11/22] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
|
||||
Subject: [PATCH 11/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
|
||||
|
||||
The functionality of the config option is dependent upon the platform being
|
||||
UEFI based. Reflect this in the config deps.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 1b435189fb66e031edc4df509576448a96b4c3ff Mon Sep 17 00:00:00 2001
|
||||
From 8d2a8d8ce61706a3a778ae9fd79cb5bab91a2817 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Tue, 27 Aug 2013 13:33:03 -0400
|
||||
Subject: [PATCH 12/22] efi: Add EFI_SECURE_BOOT bit
|
||||
Subject: [PATCH 12/21] efi: Add EFI_SECURE_BOOT bit
|
||||
|
||||
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
|
||||
for use with efi_enabled.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From e62a3871237bb79ef5e51b112eff7d940cf06020 Mon Sep 17 00:00:00 2001
|
||||
From b671df07aed28fcbc9e470b52b8c1822f78303c0 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 20 Jun 2014 08:53:24 -0400
|
||||
Subject: [PATCH 13/22] hibernate: Disable in a signed modules environment
|
||||
Subject: [PATCH 13/21] hibernate: Disable in a signed modules environment
|
||||
|
||||
There is currently no way to verify the resume image when returning
|
||||
from hibernate. This might compromise the signed modules trust model,
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 70aadec167cb84865c6e85c1eccc218a024f86ef Mon Sep 17 00:00:00 2001
|
||||
From 9cb22840851be7a7f842229e6603a6b4b25e824d Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 16 Jun 2015 14:14:31 +0100
|
||||
Subject: [PATCH 14/22] Security: Provide copy-up security hooks for unioned
|
||||
Subject: [PATCH 14/21] Security: Provide copy-up security hooks for unioned
|
||||
files
|
||||
|
||||
Provide two new security hooks for use with security files that are used when
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 2e1d35fb4b10cafc0dac63436f94fda8b4e738ee Mon Sep 17 00:00:00 2001
|
||||
From 64ef0efdd90f5aae4fae7c76783b09af53d29dfe Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 16 Jun 2015 14:14:31 +0100
|
||||
Subject: [PATCH 15/22] Overlayfs: Use copy-up security hooks
|
||||
Subject: [PATCH 15/21] Overlayfs: Use copy-up security hooks
|
||||
|
||||
Use the copy-up security hooks previously provided to allow an LSM to adjust
|
||||
the security on a newly created copy and to filter the xattrs copied to that
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From df782b85901bc5a1e1d5c90895b0166cb7ba6260 Mon Sep 17 00:00:00 2001
|
||||
From 38d19edb9bae02a9e78b26a7b2c4f0980ee13ee3 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 16 Jun 2015 14:14:32 +0100
|
||||
Subject: [PATCH 16/22] SELinux: Stub in copy-up handling
|
||||
Subject: [PATCH 16/21] SELinux: Stub in copy-up handling
|
||||
|
||||
Provide stubs for union/overlay copy-up handling. The xattr copy up stub
|
||||
discards lower SELinux xattrs rather than letting them be copied up so that
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From ce05f979bd98e5f267330f47d9a26bbb138dc54f Mon Sep 17 00:00:00 2001
|
||||
From 3e6ccc54dd0383a8c57287f9e63f392595e28cb1 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 16 Jun 2015 14:14:32 +0100
|
||||
Subject: [PATCH 17/22] SELinux: Handle opening of a unioned file
|
||||
Subject: [PATCH 17/21] SELinux: Handle opening of a unioned file
|
||||
|
||||
Handle the opening of a unioned file by trying to derive the label that would
|
||||
be attached to the union-layer inode if it doesn't exist.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From f60b70463bb7493f60a27ac2d06058da87b062d9 Mon Sep 17 00:00:00 2001
|
||||
From 7b0a1257f4b4a35f087db9120b684d3a9c8181e5 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Tue, 16 Jun 2015 14:14:32 +0100
|
||||
Subject: [PATCH 18/22] SELinux: Check against union label for file operations
|
||||
Subject: [PATCH 18/21] SELinux: Check against union label for file operations
|
||||
|
||||
File operations (eg. read, write) issued against a file that is attached to
|
||||
the lower layer of a union file needs to be checked against the union-layer
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 116f798bcf3fd2ce4965cb15ec44c8180f0428c1 Mon Sep 17 00:00:00 2001
|
||||
From 7505098adc7a76c3d001831af40f39c86d624a67 Mon Sep 17 00:00:00 2001
|
||||
From: Vito Caputo <vito.caputo@coreos.com>
|
||||
Date: Mon, 19 Oct 2015 17:53:12 -0700
|
||||
Subject: [PATCH 19/22] overlayfs: use a minimal buffer in ovl_copy_xattr
|
||||
Subject: [PATCH 19/21] overlayfs: use a minimal buffer in ovl_copy_xattr
|
||||
|
||||
Rather than always allocating the high-order XATTR_SIZE_MAX buffer
|
||||
which is costly and prone to failure, only allocate what is needed and
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 6f682c2c88f74b45c3692a994d90ed51412b932b Mon Sep 17 00:00:00 2001
|
||||
From b0a4a60266e116f35e31a2054d9769f23dc88a95 Mon Sep 17 00:00:00 2001
|
||||
From: Vito Caputo <vito.caputo@coreos.com>
|
||||
Date: Wed, 25 Nov 2015 02:59:45 -0800
|
||||
Subject: [PATCH 20/22] kbuild: derive relative path for KBUILD_SRC from CURDIR
|
||||
Subject: [PATCH 20/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
|
||||
|
||||
This enables relocating source and build trees to different roots,
|
||||
provided they stay reachable relative to one another. Useful for
|
||||
@ -12,7 +12,7 @@ by some undesirable path component.
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 70dea02..987d283 100644
|
||||
index c6a265b..8125380 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -143,7 +143,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 06ccab87d8c415e51bcf69e34bb27712bad8398f Mon Sep 17 00:00:00 2001
|
||||
From 196c562e9a0ef9a1580f35c014ee7f4669cfb5d7 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Garrett <mjg59@coreos.com>
|
||||
Date: Tue, 22 Dec 2015 07:43:52 +0000
|
||||
Subject: [PATCH 21/22] Don't verify write permissions on lower inodes on
|
||||
Subject: [PATCH 21/21] Don't verify write permissions on lower inodes on
|
||||
overlayfs
|
||||
|
||||
If a user opens a file r/w on overlayfs, and if the underlying inode is
|
||||
|
||||
@ -1,75 +0,0 @@
|
||||
From fc94e26e760f2e752aa55f7b2d58fdcbeeef433e Mon Sep 17 00:00:00 2001
|
||||
From: Yevgeny Pats <yevgeny@perception-point.io>
|
||||
Date: Mon, 11 Jan 2016 12:05:28 +0000
|
||||
Subject: [PATCH 22/22] KEYS: Fix keyring ref leak in join_session_keyring()
|
||||
|
||||
If a thread is asked to join as a session keyring the keyring that's already
|
||||
set as its session, we leak a keyring reference.
|
||||
|
||||
This can be tested with the following program:
|
||||
|
||||
#include <stddef.h>
|
||||
#include <stdio.h>
|
||||
#include <sys/types.h>
|
||||
#include <keyutils.h>
|
||||
|
||||
int main(int argc, const char *argv[])
|
||||
{
|
||||
int i = 0;
|
||||
key_serial_t serial;
|
||||
|
||||
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
|
||||
"leaked-keyring");
|
||||
if (serial < 0) {
|
||||
perror("keyctl");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (keyctl(KEYCTL_SETPERM, serial,
|
||||
KEY_POS_ALL | KEY_USR_ALL) < 0) {
|
||||
perror("keyctl");
|
||||
return -1;
|
||||
}
|
||||
|
||||
for (i = 0; i < 100; i++) {
|
||||
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
|
||||
"leaked-keyring");
|
||||
if (serial < 0) {
|
||||
perror("keyctl");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
If, after the program has run, there something like the following line in
|
||||
/proc/keys:
|
||||
|
||||
3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty
|
||||
|
||||
with a usage count of 100 * the number of times the program has been run,
|
||||
then the kernel is malfunctioning. If leaked-keyring has zero usages or
|
||||
has been garbage collected, then the problem is fixed.
|
||||
|
||||
Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
security/keys/process_keys.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
|
||||
index a3f85d2..e6d50172 100644
|
||||
--- a/security/keys/process_keys.c
|
||||
+++ b/security/keys/process_keys.c
|
||||
@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
|
||||
ret = PTR_ERR(keyring);
|
||||
goto error2;
|
||||
} else if (keyring == new->session_keyring) {
|
||||
+ key_put(keyring);
|
||||
ret = 0;
|
||||
goto error2;
|
||||
}
|
||||
--
|
||||
2.4.10
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user