From faf25d6dd9dcedbbb9708b185d2ccbe4ee7e2e21 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Mon, 13 Feb 2017 16:51:06 -0800 Subject: [PATCH] sys-kernel/coreos-sources: bump to v4.9.9 --- .../sys-kernel/coreos-sources/Manifest | 4 +- .../coreos-sources-4.8.17-r2.ebuild | 49 --- .../coreos-sources-4.9.9.ebuild | 43 +++ ...fs-provide-copy-up-security-hook-for.patch | 148 --------- ...mplementation-for-inode_copy_up-hook.patch | 62 ---- ...fs-Provide-security-hook-for-copy-up.patch | 129 -------- ...ntation-for-inode_copy_up_xattr-hook.patch | 53 --- ...urity-pointer-to-determine_inode_lab.patch | 73 ----- ...fs-Provide-hook-to-correctly-label-n.patch | 159 --------- ...mplement-dentry_create_files_as-hook.patch | 60 ---- ...serial-8250-add-CON_CONSDEV-to-flags.patch | 40 --- .../z0001-Add-secure_modules-call.patch} | 8 +- ...-access-when-module-security-is-ena.patch} | 4 +- ...port-access-when-module-security-is.patch} | 8 +- ...-ACPI-Limit-access-to-custom_method.patch} | 4 +- ...-debugfs-interface-when-module-load.patch} | 6 +- ...and-dev-kmem-when-module-loading-is.patch} | 8 +- ...rsdp-kernel-parameter-when-module-l.patch} | 8 +- ...runtime-if-the-kernel-enforces-modu.patch} | 4 +- ...access-when-module-loading-is-restr.patch} | 4 +- ...omatically-enforce-module-signature.patch} | 20 +- ...CURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch} | 8 +- .../z0012-efi-Add-EFI_SECURE_BOOT-bit.patch} | 10 +- ...ble-in-a-signed-modules-environment.patch} | 6 +- ...ative-path-for-KBUILD_SRC-from-CURD.patch} | 6 +- .../z0015-Add-arm64-coreos-verity-hash.patch} | 6 +- ...text-mounts-on-tmpfs-ramfs-devpts-w.patch} | 6 +- ...apl-Make-package-handling-more-robus.patch | 179 ++++++++++ ...ncore-Make-package-handling-more-rob.patch | 309 ++++++++++++++++++ 29 files changed, 591 insertions(+), 833 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.17-r2.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.9.9.ebuild delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-Revert-tty-serial-8250-add-CON_CONSDEV-to-flags.patch rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.8/z0008-Add-secure_modules-call.patch => 4.9/z0001-Add-secure_modules-call.patch} (88%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch => 4.9/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch} (96%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch => 4.9/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch} (89%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.8/z0011-ACPI-Limit-access-to-custom_method.patch => 4.9/z0004-ACPI-Limit-access-to-custom_method.patch} (88%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch => 4.9/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch} (90%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch => 4.9/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch} (83%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch => 4.9/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch} (80%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch => 4.9/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch} (89%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch => 4.9/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch} (89%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch => 4.9/z0010-Add-option-to-automatically-enforce-module-signature.patch} (91%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch => 4.9/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch} (78%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch => 4.9/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch} (82%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch => 4.9/z0013-hibernate-Disable-in-a-signed-modules-environment.patch} (86%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch => 4.9/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch} (84%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.8/z0023-Add-arm64-coreos-verity-hash.patch => 4.9/z0015-Add-arm64-coreos-verity-hash.patch} (83%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/{4.8/z0024-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch => 4.9/z0016-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch} (92%) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0017-perf-x86-intel-rapl-Make-package-handling-more-robus.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0018-perf-x86-intel-uncore-Make-package-handling-more-rob.patch diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest index 511cdfd3f1..cfdb5f2624 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/Manifest @@ -1,2 +1,2 @@ -DIST linux-4.8.tar.xz 91966856 SHA256 3e9150065f193d3d94bcf46a1fe9f033c7ef7122ab71d75a7fb5a2f0c9a7e11a SHA512 a48a065f21e1c7c4de4cf8ca47b8b8d9a70f86b64e7cfa6e01be490f78895745b9c8790734b1d22182cf1f930fb87eaaa84e62ec8cc1f64ac4be9b949e7c0358 WHIRLPOOL 3888c8c07db0c069f827245d4d7306087f78f7d03e8240eb1fcd13622cd5dbe1c17cd8ed7dc11513f77f3efd5dbd84e2b48e82bdb9b9bfd2242fd62ae32812d5 -DIST patch-4.8.17.xz 320288 SHA256 1e4be6f6a8eab3edcd0899db382fe1a9330320c603a9ad2c32ebb1dc6f53b3db SHA512 df239d990077cdf697fd487b4b8abb97fe442ac9fac4ed2e90c626560fc15058363310cf40580fd000d4ad55198486594a608544ce9c2bcaf03704415aa45441 WHIRLPOOL 401c8ee9f41b78b355ab76f1f0ed25b53855f641e0c27c07461e82af4e322fe958f73ef3cce6d074de2a6be550c8c8615a0a53187f3f9d17c8bd8b928d3a6051 +DIST linux-4.9.tar.xz 93192404 SHA256 029098dcffab74875e086ae970e3828456838da6e0ba22ce3f64ef764f3d7f1a SHA512 bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a WHIRLPOOL 072505b29972ad120eb25a074217847c9c2813416c4903e605a0433574f5f87616dbea0b1454e4b19acc48107f11274b682958b1d773373156e99f8163e6606a +DIST patch-4.9.9.xz 256400 SHA256 ec97e3bf8585865d409a804316b276a6b4e4939286de9757f99bfb41cf112078 SHA512 a7a2d44b83b00b20f1424d12af0f42e1c576d3053feacd13491ef185661fb1c789b9265c500b62f5ede39f57b72f358820000fa6c852a5f035e566ee1dfcd5d9 WHIRLPOOL 3d83b79dd6d4ca249638338cfd93153f2914142859d4126fbc499acc30f1aef2ba7d59c41c337fd45fb20b56b375fb2457319c933bdf8c38b656eb3e340fe95e diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.17-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.17-r2.ebuild deleted file mode 100644 index 4f541f10cd..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.8.17-r2.ebuild +++ /dev/null @@ -1,49 +0,0 @@ -# Copyright 2014 CoreOS, Inc. -# Distributed under the terms of the GNU General Public License v2 - -EAPI="5" -ETYPE="sources" -inherit kernel-2 -detect_version - -DESCRIPTION="Full sources for the CoreOS Linux kernel" -HOMEPAGE="http://www.kernel.org" -SRC_URI="${KERNEL_URI}" - -KEYWORDS="amd64 arm64" -IUSE="" - -PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" - -# XXX: Note we must prefix the patch filenames with "z" to ensure they are -# applied _after_ a potential patch-${KV}.patch file, present when building a -# patchlevel revision. We mustn't apply our patches first, it fails when the -# local patches overlap with the upstream patch. - -# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g' -UNIPATCH_LIST=" - ${PATCH_DIR}/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch \ - ${PATCH_DIR}/z0002-selinux-Implementation-for-inode_copy_up-hook.patch \ - ${PATCH_DIR}/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch \ - ${PATCH_DIR}/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch \ - ${PATCH_DIR}/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch \ - ${PATCH_DIR}/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch \ - ${PATCH_DIR}/z0007-selinux-Implement-dentry_create_files_as-hook.patch \ - ${PATCH_DIR}/z0008-Add-secure_modules-call.patch \ - ${PATCH_DIR}/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ - ${PATCH_DIR}/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch \ - ${PATCH_DIR}/z0011-ACPI-Limit-access-to-custom_method.patch \ - ${PATCH_DIR}/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ - ${PATCH_DIR}/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ - ${PATCH_DIR}/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ - ${PATCH_DIR}/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ - ${PATCH_DIR}/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ - ${PATCH_DIR}/z0017-Add-option-to-automatically-enforce-module-signature.patch \ - ${PATCH_DIR}/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ - ${PATCH_DIR}/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch \ - ${PATCH_DIR}/z0020-hibernate-Disable-in-a-signed-modules-environment.patch \ - ${PATCH_DIR}/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ - ${PATCH_DIR}/z0022-Revert-tty-serial-8250-add-CON_CONSDEV-to-flags.patch \ - ${PATCH_DIR}/z0023-Add-arm64-coreos-verity-hash.patch \ - ${PATCH_DIR}/z0024-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch \ -" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.9.9.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.9.9.ebuild new file mode 100644 index 0000000000..06ade768e9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.9.9.ebuild @@ -0,0 +1,43 @@ +# Copyright 2014 CoreOS, Inc. +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" +ETYPE="sources" +inherit kernel-2 +detect_version + +DESCRIPTION="Full sources for the CoreOS Linux kernel" +HOMEPAGE="http://www.kernel.org" +SRC_URI="${KERNEL_URI}" + +KEYWORDS="amd64 arm64" +IUSE="" + +PATCH_DIR="${FILESDIR}/${KV_MAJOR}.${KV_MINOR}" + +# XXX: Note we must prefix the patch filenames with "z" to ensure they are +# applied _after_ a potential patch-${KV}.patch file, present when building a +# patchlevel revision. We mustn't apply our patches first, it fails when the +# local patches overlap with the upstream patch. + +# in $PATCH_DIR: ls -1 | sed -e 's/^/\t${PATCH_DIR}\//g' -e 's/$/ \\/g' +UNIPATCH_LIST=" + ${PATCH_DIR}/z0001-Add-secure_modules-call.patch \ + ${PATCH_DIR}/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch \ + ${PATCH_DIR}/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch \ + ${PATCH_DIR}/z0004-ACPI-Limit-access-to-custom_method.patch \ + ${PATCH_DIR}/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch \ + ${PATCH_DIR}/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch \ + ${PATCH_DIR}/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch \ + ${PATCH_DIR}/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch \ + ${PATCH_DIR}/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch \ + ${PATCH_DIR}/z0010-Add-option-to-automatically-enforce-module-signature.patch \ + ${PATCH_DIR}/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch \ + ${PATCH_DIR}/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch \ + ${PATCH_DIR}/z0013-hibernate-Disable-in-a-signed-modules-environment.patch \ + ${PATCH_DIR}/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch \ + ${PATCH_DIR}/z0015-Add-arm64-coreos-verity-hash.patch \ + ${PATCH_DIR}/z0016-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch \ + ${PATCH_DIR}/z0017-perf-x86-intel-rapl-Make-package-handling-more-robus.patch \ + ${PATCH_DIR}/z0018-perf-x86-intel-uncore-Make-package-handling-more-rob.patch \ +" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch deleted file mode 100644 index 3114d8c7be..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0001-security-overlayfs-provide-copy-up-security-hook-for.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 72f2135b077dd2e44d5bbd6b39194d009aeb2af2 Mon Sep 17 00:00:00 2001 -From: Vivek Goyal -Date: Tue, 19 Jul 2016 14:34:57 -0400 -Subject: [PATCH 01/24] security, overlayfs: provide copy up security hook for - unioned files - -Provide a security hook to label new file correctly when a file is copied -up from lower layer to upper layer of a overlay/union mount. - -This hook can prepare a new set of creds which are suitable for new file -creation during copy up. Caller will use new creds to create file and then -revert back to old creds and release new creds. - -Signed-off-by: Vivek Goyal -Acked-by: Stephen Smalley ---- - fs/overlayfs/copy_up.c | 15 +++++++++++++++ - include/linux/lsm_hooks.h | 11 +++++++++++ - include/linux/security.h | 6 ++++++ - security/security.c | 8 ++++++++ - 4 files changed, 40 insertions(+) - -diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c -index 767377e..14a892b 100644 ---- a/fs/overlayfs/copy_up.c -+++ b/fs/overlayfs/copy_up.c -@@ -260,6 +260,8 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir, - struct dentry *upper = NULL; - umode_t mode = stat->mode; - int err; -+ const struct cred *old_creds = NULL; -+ struct cred *new_creds = NULL; - - newdentry = ovl_lookup_temp(workdir, dentry); - err = PTR_ERR(newdentry); -@@ -272,10 +274,23 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir, - if (IS_ERR(upper)) - goto out1; - -+ err = security_inode_copy_up(dentry, &new_creds); -+ if (err < 0) -+ goto out2; -+ -+ if (new_creds) -+ old_creds = override_creds(new_creds); -+ - /* Can't properly set mode on creation because of the umask */ - stat->mode &= S_IFMT; - err = ovl_create_real(wdir, newdentry, stat, link, NULL, true); - stat->mode = mode; -+ -+ if (new_creds) { -+ revert_creds(old_creds); -+ put_cred(new_creds); -+ } -+ - if (err) - goto out2; - -diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h -index 101bf19..ba3c842 100644 ---- a/include/linux/lsm_hooks.h -+++ b/include/linux/lsm_hooks.h -@@ -401,6 +401,15 @@ - * @inode contains a pointer to the inode. - * @secid contains a pointer to the location where result will be saved. - * In case of failure, @secid will be set to zero. -+ * @inode_copy_up: -+ * A file is about to be copied up from lower layer to upper layer of -+ * overlay filesystem. Security module can prepare a set of new creds -+ * and modify as need be and return new creds. Caller will switch to -+ * new creds temporarily to create new file and release newly allocated -+ * creds. -+ * @src indicates the union dentry of file that is being copied up. -+ * @new pointer to pointer to return newly allocated creds. -+ * Returns 0 on success or a negative error code on error. - * - * Security hooks for file operations - * -@@ -1425,6 +1434,7 @@ union security_list_options { - int (*inode_listsecurity)(struct inode *inode, char *buffer, - size_t buffer_size); - void (*inode_getsecid)(struct inode *inode, u32 *secid); -+ int (*inode_copy_up) (struct dentry *src, struct cred **new); - - int (*file_permission)(struct file *file, int mask); - int (*file_alloc_security)(struct file *file); -@@ -1696,6 +1706,7 @@ struct security_hook_heads { - struct list_head inode_setsecurity; - struct list_head inode_listsecurity; - struct list_head inode_getsecid; -+ struct list_head inode_copy_up; - struct list_head file_permission; - struct list_head file_alloc_security; - struct list_head file_free_security; -diff --git a/include/linux/security.h b/include/linux/security.h -index 7831cd5..c5b0ccd 100644 ---- a/include/linux/security.h -+++ b/include/linux/security.h -@@ -282,6 +282,7 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf - int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); - int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); - void security_inode_getsecid(struct inode *inode, u32 *secid); -+int security_inode_copy_up(struct dentry *src, struct cred **new); - int security_file_permission(struct file *file, int mask); - int security_file_alloc(struct file *file); - void security_file_free(struct file *file); -@@ -758,6 +759,11 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid) - *secid = 0; - } - -+static inline int security_inode_copy_up(struct dentry *src, struct cred **new) -+{ -+ return 0; -+} -+ - static inline int security_file_permission(struct file *file, int mask) - { - return 0; -diff --git a/security/security.c b/security/security.c -index 4838e7f..f2a7f27 100644 ---- a/security/security.c -+++ b/security/security.c -@@ -748,6 +748,12 @@ void security_inode_getsecid(struct inode *inode, u32 *secid) - call_void_hook(inode_getsecid, inode, secid); - } - -+int security_inode_copy_up(struct dentry *src, struct cred **new) -+{ -+ return call_int_hook(inode_copy_up, 0, src, new); -+} -+EXPORT_SYMBOL(security_inode_copy_up); -+ - int security_file_permission(struct file *file, int mask) - { - int ret; -@@ -1684,6 +1690,8 @@ struct security_hook_heads security_hook_heads = { - LIST_HEAD_INIT(security_hook_heads.inode_listsecurity), - .inode_getsecid = - LIST_HEAD_INIT(security_hook_heads.inode_getsecid), -+ .inode_copy_up = -+ LIST_HEAD_INIT(security_hook_heads.inode_copy_up), - .file_permission = - LIST_HEAD_INIT(security_hook_heads.file_permission), - .file_alloc_security = --- -2.9.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch deleted file mode 100644 index c083c6962a..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0002-selinux-Implementation-for-inode_copy_up-hook.patch +++ /dev/null @@ -1,62 +0,0 @@ -From b45eb80e5b2412980d38d2ea00aabc3057a91a05 Mon Sep 17 00:00:00 2001 -From: Vivek Goyal -Date: Tue, 19 Jul 2016 14:34:58 -0400 -Subject: [PATCH 02/24] selinux: Implementation for inode_copy_up() hook - -A file is being copied up for overlay file system. Prepare a new set of -creds and set create_sid appropriately so that new file is created with -appropriate label. - -Overlay inode has right label for both context and non-context mount -cases. In case of non-context mount, overlay inode will have the label -of lower file and in case of context mount, overlay inode will have -the label from context= mount option. - -Signed-off-by: Vivek Goyal -Acked-by: Stephen Smalley ---- - security/selinux/hooks.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 13185a6..264ee90 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -3293,6 +3293,26 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid) - *secid = isec->sid; - } - -+static int selinux_inode_copy_up(struct dentry *src, struct cred **new) -+{ -+ u32 sid; -+ struct task_security_struct *tsec; -+ struct cred *new_creds = *new; -+ -+ if (new_creds == NULL) { -+ new_creds = prepare_creds(); -+ if (!new_creds) -+ return -ENOMEM; -+ } -+ -+ tsec = new_creds->security; -+ /* Get label from overlay inode and set it in create_sid */ -+ selinux_inode_getsecid(d_inode(src), &sid); -+ tsec->create_sid = sid; -+ *new = new_creds; -+ return 0; -+} -+ - /* file security operations */ - - static int selinux_revalidate_file_permission(struct file *file, int mask) -@@ -6088,6 +6108,7 @@ static struct security_hook_list selinux_hooks[] = { - LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity), - LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), - LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), -+ LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), - - LSM_HOOK_INIT(file_permission, selinux_file_permission), - LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), --- -2.9.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch deleted file mode 100644 index 6a4300bf11..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0003-security-overlayfs-Provide-security-hook-for-copy-up.patch +++ /dev/null @@ -1,129 +0,0 @@ -From 8a5e4f3cd784d18008e2f32f07cf7ab2f949c00a Mon Sep 17 00:00:00 2001 -From: Vivek Goyal -Date: Tue, 19 Jul 2016 14:34:58 -0400 -Subject: [PATCH 03/24] security,overlayfs: Provide security hook for copy up - of xattrs for overlay file - -Provide a security hook which is called when xattrs of a file are being -copied up. This hook is called once for each xattr and LSM can return -0 if the security module wants the xattr to be copied up, 1 if the -security module wants the xattr to be discarded on the copy, -EOPNOTSUPP -if the security module does not handle/manage the xattr, or a -errno -upon an error. - -Signed-off-by: David Howells -Signed-off-by: Vivek Goyal -Acked-by: Stephen Smalley ---- - fs/overlayfs/copy_up.c | 7 +++++++ - include/linux/lsm_hooks.h | 10 ++++++++++ - include/linux/security.h | 6 ++++++ - security/security.c | 8 ++++++++ - 4 files changed, 31 insertions(+) - -diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c -index 14a892b..8797c72 100644 ---- a/fs/overlayfs/copy_up.c -+++ b/fs/overlayfs/copy_up.c -@@ -115,6 +115,13 @@ retry: - goto retry; - } - -+ error = security_inode_copy_up_xattr(name); -+ if (error < 0 && error != -EOPNOTSUPP) -+ break; -+ if (error == 1) { -+ error = 0; -+ continue; /* Discard */ -+ } - error = vfs_setxattr(new, name, value, size, 0); - if (error) - break; -diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h -index ba3c842..336b3fb 100644 ---- a/include/linux/lsm_hooks.h -+++ b/include/linux/lsm_hooks.h -@@ -410,6 +410,14 @@ - * @src indicates the union dentry of file that is being copied up. - * @new pointer to pointer to return newly allocated creds. - * Returns 0 on success or a negative error code on error. -+ * @inode_copy_up_xattr: -+ * Filter the xattrs being copied up when a unioned file is copied -+ * up from a lower layer to the union/overlay layer. -+ * @name indicates the name of the xattr. -+ * Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP if -+ * security module does not know about attribute or a negative error code -+ * to abort the copy up. Note that the caller is responsible for reading -+ * and writing the xattrs as this hook is merely a filter. - * - * Security hooks for file operations - * -@@ -1435,6 +1443,7 @@ union security_list_options { - size_t buffer_size); - void (*inode_getsecid)(struct inode *inode, u32 *secid); - int (*inode_copy_up) (struct dentry *src, struct cred **new); -+ int (*inode_copy_up_xattr) (const char *name); - - int (*file_permission)(struct file *file, int mask); - int (*file_alloc_security)(struct file *file); -@@ -1707,6 +1716,7 @@ struct security_hook_heads { - struct list_head inode_listsecurity; - struct list_head inode_getsecid; - struct list_head inode_copy_up; -+ struct list_head inode_copy_up_xattr; - struct list_head file_permission; - struct list_head file_alloc_security; - struct list_head file_free_security; -diff --git a/include/linux/security.h b/include/linux/security.h -index c5b0ccd..536fafd 100644 ---- a/include/linux/security.h -+++ b/include/linux/security.h -@@ -283,6 +283,7 @@ int security_inode_setsecurity(struct inode *inode, const char *name, const void - int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); - void security_inode_getsecid(struct inode *inode, u32 *secid); - int security_inode_copy_up(struct dentry *src, struct cred **new); -+int security_inode_copy_up_xattr(const char *name); - int security_file_permission(struct file *file, int mask); - int security_file_alloc(struct file *file); - void security_file_free(struct file *file); -@@ -764,6 +765,11 @@ static inline int security_inode_copy_up(struct dentry *src, struct cred **new) - return 0; - } - -+static inline int security_inode_copy_up_xattr(const char *name) -+{ -+ return -EOPNOTSUPP; -+} -+ - static inline int security_file_permission(struct file *file, int mask) - { - return 0; -diff --git a/security/security.c b/security/security.c -index f2a7f27..a9e2bb9 100644 ---- a/security/security.c -+++ b/security/security.c -@@ -754,6 +754,12 @@ int security_inode_copy_up(struct dentry *src, struct cred **new) - } - EXPORT_SYMBOL(security_inode_copy_up); - -+int security_inode_copy_up_xattr(const char *name) -+{ -+ return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name); -+} -+EXPORT_SYMBOL(security_inode_copy_up_xattr); -+ - int security_file_permission(struct file *file, int mask) - { - int ret; -@@ -1692,6 +1698,8 @@ struct security_hook_heads security_hook_heads = { - LIST_HEAD_INIT(security_hook_heads.inode_getsecid), - .inode_copy_up = - LIST_HEAD_INIT(security_hook_heads.inode_copy_up), -+ .inode_copy_up_xattr = -+ LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr), - .file_permission = - LIST_HEAD_INIT(security_hook_heads.file_permission), - .file_alloc_security = --- -2.9.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch deleted file mode 100644 index 2091851e53..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0004-selinux-Implementation-for-inode_copy_up_xattr-hook.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 6f9f7038760f6ed22de9beb621d1dcd5259bfa00 Mon Sep 17 00:00:00 2001 -From: Vivek Goyal -Date: Tue, 19 Jul 2016 14:34:58 -0400 -Subject: [PATCH 04/24] selinux: Implementation for inode_copy_up_xattr() hook - -When a file is copied up in overlay, we have already created file on upper/ -with right label and there is no need to copy up selinux label/xattr from -lower file to upper file. In fact in case of context mount, we don't want -to copy up label as newly created file got its label from context= option. - -Signed-off-by: Vivek Goyal -Acked-by: Stephen Smalley ---- - security/selinux/hooks.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 264ee90..d30d7b3 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -3313,6 +3313,21 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new) - return 0; - } - -+static int selinux_inode_copy_up_xattr(const char *name) -+{ -+ /* The copy_up hook above sets the initial context on an inode, but we -+ * don't then want to overwrite it by blindly copying all the lower -+ * xattrs up. Instead, we have to filter out SELinux-related xattrs. -+ */ -+ if (strcmp(name, XATTR_NAME_SELINUX) == 0) -+ return 1; /* Discard */ -+ /* -+ * Any other attribute apart from SELINUX is not claimed, supported -+ * by selinux. -+ */ -+ return -EOPNOTSUPP; -+} -+ - /* file security operations */ - - static int selinux_revalidate_file_permission(struct file *file, int mask) -@@ -6109,6 +6124,7 @@ static struct security_hook_list selinux_hooks[] = { - LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity), - LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid), - LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up), -+ LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr), - - LSM_HOOK_INIT(file_permission, selinux_file_permission), - LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security), --- -2.9.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch deleted file mode 100644 index 7f07df4d81..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0005-selinux-Pass-security-pointer-to-determine_inode_lab.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 1104a4c8e3bdf480e5ca55b558a3812b5190bb84 Mon Sep 17 00:00:00 2001 -From: Vivek Goyal -Date: Tue, 19 Jul 2016 14:34:59 -0400 -Subject: [PATCH 05/24] selinux: Pass security pointer to - determine_inode_label() - -Right now selinux_determine_inode_label() works on security pointer of -current task. Soon I need this to work on a security pointer retrieved -from a set of creds. So start passing in a pointer and caller can decide -where to fetch security pointer from. - -Signed-off-by: Vivek Goyal -Acked-by: Stephen Smalley ---- - security/selinux/hooks.c | 19 ++++++++++--------- - 1 file changed, 10 insertions(+), 9 deletions(-) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index d30d7b3..2bf0d00 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -1808,13 +1808,13 @@ out: - /* - * Determine the label for an inode that might be unioned. - */ --static int selinux_determine_inode_label(struct inode *dir, -- const struct qstr *name, -- u16 tclass, -- u32 *_new_isid) -+static int -+selinux_determine_inode_label(const struct task_security_struct *tsec, -+ struct inode *dir, -+ const struct qstr *name, u16 tclass, -+ u32 *_new_isid) - { - const struct superblock_security_struct *sbsec = dir->i_sb->s_security; -- const struct task_security_struct *tsec = current_security(); - - if ((sbsec->flags & SE_SBINITIALIZED) && - (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { -@@ -1857,8 +1857,8 @@ static int may_create(struct inode *dir, - if (rc) - return rc; - -- rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass, -- &newsid); -+ rc = selinux_determine_inode_label(current_security(), dir, -+ &dentry->d_name, tclass, &newsid); - if (rc) - return rc; - -@@ -2838,7 +2838,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode, - u32 newsid; - int rc; - -- rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name, -+ rc = selinux_determine_inode_label(current_security(), -+ d_inode(dentry->d_parent), name, - inode_mode_to_security_class(mode), - &newsid); - if (rc) -@@ -2863,7 +2864,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, - sid = tsec->sid; - newsid = tsec->create_sid; - -- rc = selinux_determine_inode_label( -+ rc = selinux_determine_inode_label(current_security(), - dir, qstr, - inode_mode_to_security_class(inode->i_mode), - &newsid); --- -2.9.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch deleted file mode 100644 index 43c722b245..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0006-security-overlayfs-Provide-hook-to-correctly-label-n.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 6edae1670b755c5c747bdb30031ff9b24f2f585e Mon Sep 17 00:00:00 2001 -From: Vivek Goyal -Date: Tue, 19 Jul 2016 14:34:59 -0400 -Subject: [PATCH 06/24] security, overlayfs: Provide hook to correctly label - newly created files - -During a new file creation we need to make sure new file is created with the -right label. New file is created in upper/ so effectively file should get -label as if task had created file in upper/. - -We switched to mounter's creds for actual file creation. Also if there is a -whiteout present, then file will be created in work/ dir first and then -renamed in upper. In none of the cases file will be labeled as we want it to -be. - -This patch introduces a new hook dentry_create_files_as(), which determines -the label/context dentry will get if it had been created by task in upper -and modify passed set of creds appropriately. Caller makes use of these new -creds for file creation. - -Signed-off-by: Vivek Goyal -Acked-by: Stephen Smalley ---- - fs/overlayfs/dir.c | 10 ++++++++++ - include/linux/lsm_hooks.h | 15 +++++++++++++++ - include/linux/security.h | 12 ++++++++++++ - security/security.c | 11 +++++++++++ - 4 files changed, 48 insertions(+) - -diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c -index 74e6964..adfaa21 100644 ---- a/fs/overlayfs/dir.c -+++ b/fs/overlayfs/dir.c -@@ -492,6 +492,15 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode, - if (override_cred) { - override_cred->fsuid = inode->i_uid; - override_cred->fsgid = inode->i_gid; -+ if (!hardlink) { -+ err = security_dentry_create_files_as(dentry, -+ stat->mode, &dentry->d_name, old_cred, -+ override_cred); -+ if (err) { -+ put_cred(override_cred); -+ goto out_revert_creds; -+ } -+ } - put_cred(override_creds(override_cred)); - put_cred(override_cred); - -@@ -502,6 +511,7 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode, - err = ovl_create_over_whiteout(dentry, inode, stat, - link, hardlink); - } -+out_revert_creds: - revert_creds(old_cred); - if (!err) { - struct inode *realinode = d_inode(ovl_dentry_upper(dentry)); -diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h -index 336b3fb..55891c0 100644 ---- a/include/linux/lsm_hooks.h -+++ b/include/linux/lsm_hooks.h -@@ -151,6 +151,16 @@ - * @name name of the last path component used to create file - * @ctx pointer to place the pointer to the resulting context in. - * @ctxlen point to place the length of the resulting context. -+ * @dentry_create_files_as: -+ * Compute a context for a dentry as the inode is not yet available -+ * and set that context in passed in creds so that new files are -+ * created using that context. Context is calculated using the -+ * passed in creds and not the creds of the caller. -+ * @dentry dentry to use in calculating the context. -+ * @mode mode used to determine resource type. -+ * @name name of the last path component used to create file -+ * @old creds which should be used for context calculation -+ * @new creds to modify - * - * - * Security hooks for inode operations. -@@ -1375,6 +1385,10 @@ union security_list_options { - int (*dentry_init_security)(struct dentry *dentry, int mode, - const struct qstr *name, void **ctx, - u32 *ctxlen); -+ int (*dentry_create_files_as)(struct dentry *dentry, int mode, -+ struct qstr *name, -+ const struct cred *old, -+ struct cred *new); - - - #ifdef CONFIG_SECURITY_PATH -@@ -1675,6 +1689,7 @@ struct security_hook_heads { - struct list_head sb_clone_mnt_opts; - struct list_head sb_parse_opts_str; - struct list_head dentry_init_security; -+ struct list_head dentry_create_files_as; - #ifdef CONFIG_SECURITY_PATH - struct list_head path_unlink; - struct list_head path_mkdir; -diff --git a/include/linux/security.h b/include/linux/security.h -index 536fafd..a6c6d5d 100644 ---- a/include/linux/security.h -+++ b/include/linux/security.h -@@ -242,6 +242,10 @@ int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts); - int security_dentry_init_security(struct dentry *dentry, int mode, - const struct qstr *name, void **ctx, - u32 *ctxlen); -+int security_dentry_create_files_as(struct dentry *dentry, int mode, -+ struct qstr *name, -+ const struct cred *old, -+ struct cred *new); - - int security_inode_alloc(struct inode *inode); - void security_inode_free(struct inode *inode); -@@ -600,6 +604,14 @@ static inline int security_dentry_init_security(struct dentry *dentry, - return -EOPNOTSUPP; - } - -+static inline int security_dentry_create_files_as(struct dentry *dentry, -+ int mode, struct qstr *name, -+ const struct cred *old, -+ struct cred *new) -+{ -+ return 0; -+} -+ - - static inline int security_inode_init_security(struct inode *inode, - struct inode *dir, -diff --git a/security/security.c b/security/security.c -index a9e2bb9..69614f1 100644 ---- a/security/security.c -+++ b/security/security.c -@@ -364,6 +364,15 @@ int security_dentry_init_security(struct dentry *dentry, int mode, - } - EXPORT_SYMBOL(security_dentry_init_security); - -+int security_dentry_create_files_as(struct dentry *dentry, int mode, -+ struct qstr *name, -+ const struct cred *old, struct cred *new) -+{ -+ return call_int_hook(dentry_create_files_as, 0, dentry, mode, -+ name, old, new); -+} -+EXPORT_SYMBOL(security_dentry_create_files_as); -+ - int security_inode_init_security(struct inode *inode, struct inode *dir, - const struct qstr *qstr, - const initxattrs initxattrs, void *fs_data) -@@ -1635,6 +1644,8 @@ struct security_hook_heads security_hook_heads = { - LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str), - .dentry_init_security = - LIST_HEAD_INIT(security_hook_heads.dentry_init_security), -+ .dentry_create_files_as = -+ LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as), - #ifdef CONFIG_SECURITY_PATH - .path_unlink = LIST_HEAD_INIT(security_hook_heads.path_unlink), - .path_mkdir = LIST_HEAD_INIT(security_hook_heads.path_mkdir), --- -2.9.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch deleted file mode 100644 index a5d9cc2483..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0007-selinux-Implement-dentry_create_files_as-hook.patch +++ /dev/null @@ -1,60 +0,0 @@ -From d1d5776d41d3c426ccb6984206d20769ba1ad01f Mon Sep 17 00:00:00 2001 -From: Vivek Goyal -Date: Tue, 19 Jul 2016 14:34:59 -0400 -Subject: [PATCH 07/24] selinux: Implement dentry_create_files_as() hook - -Calculate what would be the label of newly created file and set that secid -in the passed creds. - -Context of the task which is actually creating file is retrieved from -set of creds passed in. (old->security). - -Signed-off-by: Vivek Goyal -Acked-by: Stephen Smalley ---- - security/selinux/hooks.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 2bf0d00..603b600 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -2848,6 +2848,27 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode, - return security_sid_to_context(newsid, (char **)ctx, ctxlen); - } - -+static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, -+ struct qstr *name, -+ const struct cred *old, -+ struct cred *new) -+{ -+ u32 newsid; -+ int rc; -+ struct task_security_struct *tsec; -+ -+ rc = selinux_determine_inode_label(old->security, -+ d_inode(dentry->d_parent), name, -+ inode_mode_to_security_class(mode), -+ &newsid); -+ if (rc) -+ return rc; -+ -+ tsec = new->security; -+ tsec->create_sid = newsid; -+ return 0; -+} -+ - static int selinux_inode_init_security(struct inode *inode, struct inode *dir, - const struct qstr *qstr, - const char **name, -@@ -6098,6 +6119,7 @@ static struct security_hook_list selinux_hooks[] = { - LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str), - - LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security), -+ LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as), - - LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security), - LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security), --- -2.9.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-Revert-tty-serial-8250-add-CON_CONSDEV-to-flags.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-Revert-tty-serial-8250-add-CON_CONSDEV-to-flags.patch deleted file mode 100644 index 8b2ce25df1..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0022-Revert-tty-serial-8250-add-CON_CONSDEV-to-flags.patch +++ /dev/null @@ -1,40 +0,0 @@ -From e47cbf707c26036420fec8846d07ec640b744c0e Mon Sep 17 00:00:00 2001 -From: Herbert Xu -Date: Sun, 11 Dec 2016 10:05:49 +0800 -Subject: [PATCH 22/24] Revert "tty: serial: 8250: add CON_CONSDEV to flags" - -This commit needs to be reverted because it prevents people from -using the serial console as a secondary console with input being -directed to tty0. - -IOW, if you boot with console=ttyS0 console=tty0 then all kernels -prior to this commit will produce output on both ttyS0 and tty0 -but input will only be taken from tty0. With this patch the serial -console will always be the primary console instead of tty0, -potentially preventing people from getting into their machines in -emergency situations. - -Fixes: d03516df8375 ("tty: serial: 8250: add CON_CONSDEV to flags") -Signed-off-by: Herbert Xu -Cc: stable -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/serial/8250/8250_core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c -index dcf43f6..fa823a5 100644 ---- a/drivers/tty/serial/8250/8250_core.c -+++ b/drivers/tty/serial/8250/8250_core.c -@@ -675,7 +675,7 @@ static struct console univ8250_console = { - .device = uart_console_device, - .setup = univ8250_console_setup, - .match = univ8250_console_match, -- .flags = CON_PRINTBUFFER | CON_ANYTIME | CON_CONSDEV, -+ .flags = CON_PRINTBUFFER | CON_ANYTIME, - .index = -1, - .data = &serial8250_reg, - }; --- -2.9.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0001-Add-secure_modules-call.patch similarity index 88% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0001-Add-secure_modules-call.patch index 082b3eca21..144dc975de 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0008-Add-secure_modules-call.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0001-Add-secure_modules-call.patch @@ -1,7 +1,7 @@ -From 14accb84196be11dbfc524cc24014f479c81e5e2 Mon Sep 17 00:00:00 2001 +From 428385fe28e9523377ecf26c97dd36382468fd8d Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 17:58:15 -0400 -Subject: [PATCH 08/24] Add secure_modules() call +Subject: [PATCH 01/18] Add secure_modules() call Provide a single call to allow kernel code to determine whether the system has been configured to either disable module loading entirely or to load @@ -41,10 +41,10 @@ index 0c3207d..c8b4ea0 100644 #ifdef CONFIG_SYSFS diff --git a/kernel/module.c b/kernel/module.c -index 529efae..0332fdd 100644 +index 0e54d5b..085b720 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4279,3 +4279,13 @@ void module_layout(struct module *mod, +@@ -4285,3 +4285,13 @@ void module_layout(struct module *mod, } EXPORT_SYMBOL(module_layout); #endif diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch index 3d4a8c82ee..55d26e705a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0009-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch @@ -1,7 +1,7 @@ -From c1a2f1afbbccfb4c5659b4dae4f82b442c38f57b Mon Sep 17 00:00:00 2001 +From ac008727488d38debfe9d336bc3172c0cc6a55d3 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:10:38 -0500 -Subject: [PATCH 09/24] PCI: Lock down BAR access when module security is +Subject: [PATCH 02/18] PCI: Lock down BAR access when module security is enabled Any hardware that can potentially generate DMA has to be locked down from diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch similarity index 89% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch index c5d49c0d2b..d85409d460 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0010-x86-Lock-down-IO-port-access-when-module-security-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0003-x86-Lock-down-IO-port-access-when-module-security-is.patch @@ -1,7 +1,7 @@ -From ef9962bc8d75916b7c2f70a4b13b53f3332efa40 Mon Sep 17 00:00:00 2001 +From 594c655d0c106fbc6c3789688d0f58dd741f2c49 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 8 Mar 2012 10:35:59 -0500 -Subject: [PATCH 10/24] x86: Lock down IO port access when module security is +Subject: [PATCH 03/18] x86: Lock down IO port access when module security is enabled IO port access would permit users to gain access to PCI configuration @@ -46,7 +46,7 @@ index 589b319..ab83724 100644 } regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index a33163d..48a2897 100644 +index 6d9cc2d..a6eca51 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -28,6 +28,7 @@ @@ -57,7 +57,7 @@ index a33163d..48a2897 100644 #include -@@ -574,6 +575,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, +@@ -578,6 +579,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, unsigned long i = *ppos; const char __user *tmp = buf; diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0004-ACPI-Limit-access-to-custom_method.patch similarity index 88% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0004-ACPI-Limit-access-to-custom_method.patch index 8d9706d52f..6a8e32480c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0011-ACPI-Limit-access-to-custom_method.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0004-ACPI-Limit-access-to-custom_method.patch @@ -1,7 +1,7 @@ -From d01d4b34ddae2cd731d4b8b08c53260a448806b6 Mon Sep 17 00:00:00 2001 +From 6514dc7053261af884ba59e0a6c08a1c091dc9e0 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:39:37 -0500 -Subject: [PATCH 11/24] ACPI: Limit access to custom_method +Subject: [PATCH 04/18] ACPI: Limit access to custom_method custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch index b89f5a6949..762d117787 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0012-asus-wmi-Restrict-debugfs-interface-when-module-load.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch @@ -1,7 +1,7 @@ -From 70e4a01956577b99322da3aa0ff3bc991fc23401 Mon Sep 17 00:00:00 2001 +From 459c4b5751f448645f26292fe780d97d47e84265 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 08:46:50 -0500 -Subject: [PATCH 12/24] asus-wmi: Restrict debugfs interface when module +Subject: [PATCH 05/18] asus-wmi: Restrict debugfs interface when module loading is restricted We have no way of validating what all of the Asus WMI methods do on a @@ -16,7 +16,7 @@ Signed-off-by: Matthew Garrett 1 file changed, 9 insertions(+) diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index 7c093a0..21fd6b8 100644 +index ce6ca31..55d2399 100644 --- a/drivers/platform/x86/asus-wmi.c +++ b/drivers/platform/x86/asus-wmi.c @@ -1872,6 +1872,9 @@ static int show_dsts(struct seq_file *m, void *data) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch similarity index 83% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch index 8346f53c1a..72625e4c21 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0013-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch @@ -1,7 +1,7 @@ -From c746f3492e8c039f9c85341d36cec803cbef9424 Mon Sep 17 00:00:00 2001 +From 06dd44588d8aa2f2c4a903b858660d6d6860c22f Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Mar 2012 09:28:15 -0500 -Subject: [PATCH 13/24] Restrict /dev/mem and /dev/kmem when module loading is +Subject: [PATCH 06/18] Restrict /dev/mem and /dev/kmem when module loading is restricted Allowing users to write to address space makes it possible for the kernel @@ -14,7 +14,7 @@ Signed-off-by: Matthew Garrett 1 file changed, 6 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index 48a2897..08a7bff 100644 +index a6eca51..191b2b0 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -164,6 +164,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, @@ -27,7 +27,7 @@ index 48a2897..08a7bff 100644 if (!valid_phys_addr_range(p, count)) return -EFAULT; -@@ -510,6 +513,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, +@@ -514,6 +517,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ int err = 0; diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch similarity index 80% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch index fd0f7c9c18..e4607c10b1 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0014-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch @@ -1,7 +1,7 @@ -From 5f74d421b9177d8f92a9462771744e26713b3110 Mon Sep 17 00:00:00 2001 +From 904f9519810723da81230c693b60510684990837 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 25 Jun 2012 19:57:30 -0400 -Subject: [PATCH 14/24] acpi: Ignore acpi_rsdp kernel parameter when module +Subject: [PATCH 07/18] acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted This option allows userspace to pass the RSDP address to the kernel, which @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 4305ee9..fa1bcf0 100644 +index 416953a..4887e34 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -40,6 +40,7 @@ @@ -25,7 +25,7 @@ index 4305ee9..fa1bcf0 100644 #include #include -@@ -184,7 +185,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); +@@ -191,7 +192,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); acpi_physical_address __init acpi_os_get_root_pointer(void) { #ifdef CONFIG_KEXEC diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch similarity index 89% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch index 2445ceea73..d271fe92d3 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0015-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch @@ -1,7 +1,7 @@ -From fb93701fdbfbe966ea426cc02e6cd0abdc4e955a Mon Sep 17 00:00:00 2001 +From 97b270a085859d5ada3614b45902c0b75df2be4e Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 19 Nov 2015 18:55:53 -0800 -Subject: [PATCH 15/24] kexec: Disable at runtime if the kernel enforces module +Subject: [PATCH 08/18] kexec: Disable at runtime if the kernel enforces module loading restrictions kexec permits the loading and execution of arbitrary code in ring 0, which diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch similarity index 89% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch index bd21391a56..10ef00a593 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0016-x86-Restrict-MSR-access-when-module-loading-is-restr.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch @@ -1,7 +1,7 @@ -From c707e9d71a1beeecf41e75936c89587b68734a35 Mon Sep 17 00:00:00 2001 +From 43e3113404497c837aa083b43b0a9e08dae73f53 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 8 Feb 2013 11:12:13 -0800 -Subject: [PATCH 16/24] x86: Restrict MSR access when module loading is +Subject: [PATCH 09/18] x86: Restrict MSR access when module loading is restricted Writing to MSRs should not be allowed if module loading is restricted, diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0010-Add-option-to-automatically-enforce-module-signature.patch similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0010-Add-option-to-automatically-enforce-module-signature.patch index 6a4f3c462f..371aec4b05 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0017-Add-option-to-automatically-enforce-module-signature.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0010-Add-option-to-automatically-enforce-module-signature.patch @@ -1,7 +1,7 @@ -From 22a7af2714d4dc7284c8070d305fb6d15a8f119b Mon Sep 17 00:00:00 2001 +From 24fd0e7dcfb42abc8999f0bc3b55bdf02324da75 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 9 Aug 2013 18:36:30 -0400 -Subject: [PATCH 17/24] Add option to automatically enforce module signatures +Subject: [PATCH 10/18] Add option to automatically enforce module signatures when in Secure Boot mode UEFI Secure Boot provides a mechanism for ensuring that the firmware will @@ -34,10 +34,10 @@ index 95a4d34..b8527c6 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index 2a1f0ce..ba2c734 100644 +index bada636..882da2b 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1774,6 +1774,16 @@ config EFI_MIXED +@@ -1786,6 +1786,16 @@ config EFI_MIXED If unsure, say N. @@ -55,7 +55,7 @@ index 2a1f0ce..ba2c734 100644 def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 94dd4a3..1959b82 100644 +index cc69e37..17b3765 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -12,6 +12,7 @@ @@ -66,7 +66,7 @@ index 94dd4a3..1959b82 100644 #include "../string.h" #include "eboot.h" -@@ -571,6 +572,36 @@ free_handle: +@@ -537,6 +538,36 @@ static void setup_efi_pci(struct boot_params *params) efi_call_early(free_pool, pci_handle); } @@ -103,7 +103,7 @@ index 94dd4a3..1959b82 100644 static efi_status_t setup_uga32(void **uga_handle, unsigned long size, u32 *width, u32 *height) { -@@ -1128,6 +1159,10 @@ struct boot_params *efi_main(struct efi_config *c, +@@ -1094,6 +1125,10 @@ struct boot_params *efi_main(struct efi_config *c, else setup_boot_services32(efi_early); @@ -129,7 +129,7 @@ index c18ce67..2b3e542 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index d5219b1..d635886 100644 +index 9c337b0..f7f369b 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1160,6 +1160,12 @@ void __init setup_arch(char **cmdline_p) @@ -163,10 +163,10 @@ index c8b4ea0..8918ef4 100644 extern int modules_disabled; /* for sysctl */ diff --git a/kernel/module.c b/kernel/module.c -index 0332fdd..3f1ea6b 100644 +index 085b720..e0c6216 100644 --- a/kernel/module.c +++ b/kernel/module.c -@@ -4280,6 +4280,13 @@ void module_layout(struct module *mod, +@@ -4286,6 +4286,13 @@ void module_layout(struct module *mod, EXPORT_SYMBOL(module_layout); #endif diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch similarity index 78% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch index eb327e4437..29338eb48c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0018-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch @@ -1,7 +1,7 @@ -From 22710872487fdcb61445299f7cdd92d1b702fcc8 Mon Sep 17 00:00:00 2001 +From 24e6c471ffdfed1d389c9bd033117e1ca4cbd97b Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:28:43 -0400 -Subject: [PATCH 18/24] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI +Subject: [PATCH 11/18] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI The functionality of the config option is dependent upon the platform being UEFI based. Reflect this in the config deps. @@ -12,10 +12,10 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig -index ba2c734..a5d6b58 100644 +index 882da2b..d666ef8b 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig -@@ -1775,7 +1775,8 @@ config EFI_MIXED +@@ -1787,7 +1787,8 @@ config EFI_MIXED If unsure, say N. config EFI_SECURE_BOOT_SIG_ENFORCE diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch similarity index 82% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch index c46ce7ffcd..14d3848752 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0019-efi-Add-EFI_SECURE_BOOT-bit.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0012-efi-Add-EFI_SECURE_BOOT-bit.patch @@ -1,7 +1,7 @@ -From b0f4c9e56311b1d894766e815570b240f5c5edbe Mon Sep 17 00:00:00 2001 +From 3891469497a0435fa026dca9fe58dc707d49c197 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 27 Aug 2013 13:33:03 -0400 -Subject: [PATCH 19/24] efi: Add EFI_SECURE_BOOT bit +Subject: [PATCH 12/18] efi: Add EFI_SECURE_BOOT bit UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit for use with efi_enabled. @@ -13,7 +13,7 @@ Signed-off-by: Josh Boyer 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index d635886..5824ae5 100644 +index f7f369b..60dccc2 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1162,7 +1162,9 @@ void __init setup_arch(char **cmdline_p) @@ -27,10 +27,10 @@ index d635886..5824ae5 100644 #endif diff --git a/include/linux/efi.h b/include/linux/efi.h -index 0148a30..4b62b48 100644 +index cba7177..0d76705 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -1012,6 +1012,7 @@ extern int __init efi_setup_pcdp_console(char *); +@@ -1045,6 +1045,7 @@ extern int __init efi_setup_pcdp_console(char *); #define EFI_ARCH_1 7 /* First arch-specific bit */ #define EFI_DBG 8 /* Print additional debug info at runtime */ #define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */ diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0013-hibernate-Disable-in-a-signed-modules-environment.patch similarity index 86% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0013-hibernate-Disable-in-a-signed-modules-environment.patch index 7e54b9cbf4..2bcb6d151e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0020-hibernate-Disable-in-a-signed-modules-environment.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0013-hibernate-Disable-in-a-signed-modules-environment.patch @@ -1,7 +1,7 @@ -From f342c4af0fd094a2ab367c5b5bf019d41337e7e9 Mon Sep 17 00:00:00 2001 +From 804784cb138b64f247a1db03d2b43118e4d31e54 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 20 Jun 2014 08:53:24 -0400 -Subject: [PATCH 20/24] hibernate: Disable in a signed modules environment +Subject: [PATCH 13/18] hibernate: Disable in a signed modules environment There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index 33c79b6..d1420be 100644 +index b26dbc4..ab187ad 100644 --- a/kernel/power/hibernate.c +++ b/kernel/power/hibernate.c @@ -29,6 +29,7 @@ diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch similarity index 84% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch index 29df705f90..105906a9e0 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0021-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0014-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch @@ -1,7 +1,7 @@ -From fd0e3487c3e608c27b03adad678df805eff0811f Mon Sep 17 00:00:00 2001 +From 023410cc67fdf43960f44d73121e735aeee3fc35 Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Wed, 25 Nov 2015 02:59:45 -0800 -Subject: [PATCH 21/24] kbuild: derive relative path for KBUILD_SRC from CURDIR +Subject: [PATCH 14/18] kbuild: derive relative path for KBUILD_SRC from CURDIR This enables relocating source and build trees to different roots, provided they stay reachable relative to one another. Useful for @@ -12,7 +12,7 @@ by some undesirable path component. 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index ace32d3..66cfbaa 100644 +index c0c41c9..8ab8bd3 100644 --- a/Makefile +++ b/Makefile @@ -147,7 +147,8 @@ $(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0023-Add-arm64-coreos-verity-hash.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0015-Add-arm64-coreos-verity-hash.patch similarity index 83% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0023-Add-arm64-coreos-verity-hash.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0015-Add-arm64-coreos-verity-hash.patch index bd7ebe0b15..e5167d852d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0023-Add-arm64-coreos-verity-hash.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0015-Add-arm64-coreos-verity-hash.patch @@ -1,7 +1,7 @@ -From e3614cf4156b5b9eb7eb9e1a1081260ca404b0fe Mon Sep 17 00:00:00 2001 +From 888796efad08c03f7868fe02189e02132e925766 Mon Sep 17 00:00:00 2001 From: Geoff Levand Date: Fri, 11 Nov 2016 17:28:52 -0800 -Subject: [PATCH 23/24] Add arm64 coreos verity hash +Subject: [PATCH 15/18] Add arm64 coreos verity hash Signed-off-by: Geoff Levand --- @@ -9,7 +9,7 @@ Signed-off-by: Geoff Levand 1 file changed, 5 insertions(+) diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S -index 4d19508..b7ecaf9 100644 +index 332e331..964bae1 100644 --- a/arch/arm64/kernel/head.S +++ b/arch/arm64/kernel/head.S @@ -195,6 +195,11 @@ section_table: diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0024-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0016-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch similarity index 92% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0024-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0016-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch index c5950710d8..276cb1594c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.8/z0024-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0016-selinux-allow-context-mounts-on-tmpfs-ramfs-devpts-w.patch @@ -1,7 +1,7 @@ -From e5868fc1175409ad885926cbb66cb5dc5fc3e6fa Mon Sep 17 00:00:00 2001 +From 648e8f090f90f19237cfa70c047419341de49417 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Mon, 9 Jan 2017 10:07:31 -0500 -Subject: [PATCH 24/24] selinux: allow context mounts on tmpfs, ramfs, devpts +Subject: [PATCH 16/18] selinux: allow context mounts on tmpfs, ramfs, devpts within user namespaces commit aad82892af261b9903cc11c55be3ecf5f0b0b4f8 ("selinux: Add support for @@ -31,7 +31,7 @@ Signed-off-by: Paul Moore 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 603b600..feb29df 100644 +index 09fd610..7f4387f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -832,10 +832,14 @@ static int selinux_set_mnt_opts(struct super_block *sb, diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0017-perf-x86-intel-rapl-Make-package-handling-more-robus.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0017-perf-x86-intel-rapl-Make-package-handling-more-robus.patch new file mode 100644 index 0000000000..3f017eda23 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0017-perf-x86-intel-rapl-Make-package-handling-more-robus.patch @@ -0,0 +1,179 @@ +From 463b9d55d967de5900c5097bc99c34f4207a85a9 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Tue, 31 Jan 2017 23:58:38 +0100 +Subject: [PATCH 17/18] perf/x86/intel/rapl: Make package handling more robust + +The package management code in RAPL relies on package mapping being +available before a CPU is started. This changed with: + + 9d85eb9119f4 ("x86/smpboot: Make logical package management more robust") + +because the ACPI/BIOS information turned out to be unreliable, but that +left RAPL in broken state. This was not noticed because on a regular boot +all CPUs are online before RAPL is initialized. + +A possible fix would be to reintroduce the mess which allocates a package +data structure in CPU prepare and when it turns out to already exist in +starting throw it away later in the CPU online callback. But that's a +horrible hack and not required at all because RAPL becomes functional for +perf only in the CPU online callback. That's correct because user space is +not yet informed about the CPU being onlined, so nothing caan rely on RAPL +being available on that particular CPU. + +Move the allocation to the CPU online callback and simplify the hotplug +handling. At this point the package mapping is established and correct. + +This also adds a missing check for available package data in the +event_init() function. + +Reported-by: Yasuaki Ishimatsu +Signed-off-by: Thomas Gleixner +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Sebastian Siewior +Cc: Stephane Eranian +Cc: Vince Weaver +Fixes: 9d85eb9119f4 ("x86/smpboot: Make logical package management more robust") +Link: http://lkml.kernel.org/r/20170131230141.212593966@linutronix.de +Signed-off-by: Ingo Molnar +--- + arch/x86/events/intel/rapl.c | 60 +++++++++++++++++++------------------------- + include/linux/cpuhotplug.h | 1 - + 2 files changed, 26 insertions(+), 35 deletions(-) + +diff --git a/arch/x86/events/intel/rapl.c b/arch/x86/events/intel/rapl.c +index 0a535ce..1dba3c2 100644 +--- a/arch/x86/events/intel/rapl.c ++++ b/arch/x86/events/intel/rapl.c +@@ -161,7 +161,13 @@ static u64 rapl_timer_ms; + + static inline struct rapl_pmu *cpu_to_rapl_pmu(unsigned int cpu) + { +- return rapl_pmus->pmus[topology_logical_package_id(cpu)]; ++ unsigned int pkgid = topology_logical_package_id(cpu); ++ ++ /* ++ * The unsigned check also catches the '-1' return value for non ++ * existent mappings in the topology map. ++ */ ++ return pkgid < rapl_pmus->maxpkg ? rapl_pmus->pmus[pkgid] : NULL; + } + + static inline u64 rapl_read_counter(struct perf_event *event) +@@ -402,6 +408,8 @@ static int rapl_pmu_event_init(struct perf_event *event) + + /* must be done before validate_group */ + pmu = cpu_to_rapl_pmu(event->cpu); ++ if (!pmu) ++ return -EINVAL; + event->cpu = pmu->cpu; + event->pmu_private = pmu; + event->hw.event_base = msr; +@@ -585,6 +593,20 @@ static int rapl_cpu_online(unsigned int cpu) + struct rapl_pmu *pmu = cpu_to_rapl_pmu(cpu); + int target; + ++ if (!pmu) { ++ pmu = kzalloc_node(sizeof(*pmu), GFP_KERNEL, cpu_to_node(cpu)); ++ if (!pmu) ++ return -ENOMEM; ++ ++ raw_spin_lock_init(&pmu->lock); ++ INIT_LIST_HEAD(&pmu->active_list); ++ pmu->pmu = &rapl_pmus->pmu; ++ pmu->timer_interval = ms_to_ktime(rapl_timer_ms); ++ rapl_hrtimer_init(pmu); ++ ++ rapl_pmus->pmus[topology_logical_package_id(cpu)] = pmu; ++ } ++ + /* + * Check if there is an online cpu in the package which collects rapl + * events already. +@@ -598,27 +620,6 @@ static int rapl_cpu_online(unsigned int cpu) + return 0; + } + +-static int rapl_cpu_prepare(unsigned int cpu) +-{ +- struct rapl_pmu *pmu = cpu_to_rapl_pmu(cpu); +- +- if (pmu) +- return 0; +- +- pmu = kzalloc_node(sizeof(*pmu), GFP_KERNEL, cpu_to_node(cpu)); +- if (!pmu) +- return -ENOMEM; +- +- raw_spin_lock_init(&pmu->lock); +- INIT_LIST_HEAD(&pmu->active_list); +- pmu->pmu = &rapl_pmus->pmu; +- pmu->timer_interval = ms_to_ktime(rapl_timer_ms); +- pmu->cpu = -1; +- rapl_hrtimer_init(pmu); +- rapl_pmus->pmus[topology_logical_package_id(cpu)] = pmu; +- return 0; +-} +- + static int rapl_check_hw_unit(bool apply_quirk) + { + u64 msr_rapl_power_unit_bits; +@@ -802,29 +803,21 @@ static int __init rapl_pmu_init(void) + /* + * Install callbacks. Core will call them for each online cpu. + */ +- +- ret = cpuhp_setup_state(CPUHP_PERF_X86_RAPL_PREP, "PERF_X86_RAPL_PREP", +- rapl_cpu_prepare, NULL); +- if (ret) +- goto out; +- + ret = cpuhp_setup_state(CPUHP_AP_PERF_X86_RAPL_ONLINE, + "AP_PERF_X86_RAPL_ONLINE", + rapl_cpu_online, rapl_cpu_offline); + if (ret) +- goto out1; ++ goto out; + + ret = perf_pmu_register(&rapl_pmus->pmu, "power", -1); + if (ret) +- goto out2; ++ goto out1; + + rapl_advertise(); + return 0; + +-out2: +- cpuhp_remove_state(CPUHP_AP_PERF_X86_RAPL_ONLINE); + out1: +- cpuhp_remove_state(CPUHP_PERF_X86_RAPL_PREP); ++ cpuhp_remove_state(CPUHP_AP_PERF_X86_RAPL_ONLINE); + out: + pr_warn("Initialization failed (%d), disabled\n", ret); + cleanup_rapl_pmus(); +@@ -835,7 +828,6 @@ module_init(rapl_pmu_init); + static void __exit intel_rapl_exit(void) + { + cpuhp_remove_state_nocalls(CPUHP_AP_PERF_X86_RAPL_ONLINE); +- cpuhp_remove_state_nocalls(CPUHP_PERF_X86_RAPL_PREP); + perf_pmu_unregister(&rapl_pmus->pmu); + cleanup_rapl_pmus(); + } +diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h +index ba1cad7..965cc56 100644 +--- a/include/linux/cpuhotplug.h ++++ b/include/linux/cpuhotplug.h +@@ -10,7 +10,6 @@ enum cpuhp_state { + CPUHP_PERF_X86_PREPARE, + CPUHP_PERF_X86_UNCORE_PREP, + CPUHP_PERF_X86_AMD_UNCORE_PREP, +- CPUHP_PERF_X86_RAPL_PREP, + CPUHP_PERF_BFIN, + CPUHP_PERF_POWER, + CPUHP_PERF_SUPERH, +-- +2.9.3 + diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0018-perf-x86-intel-uncore-Make-package-handling-more-rob.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0018-perf-x86-intel-uncore-Make-package-handling-more-rob.patch new file mode 100644 index 0000000000..fb88026ffb --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.9/z0018-perf-x86-intel-uncore-Make-package-handling-more-rob.patch @@ -0,0 +1,309 @@ +From c768c2f2907728b8ce5c43718221afcd1353da8b Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Tue, 31 Jan 2017 23:58:40 +0100 +Subject: [PATCH 18/18] perf/x86/intel/uncore: Make package handling more + robust + +The package management code in uncore relies on package mapping being +available before a CPU is started. This changed with: + + 9d85eb9119f4 ("x86/smpboot: Make logical package management more robust") + +because the ACPI/BIOS information turned out to be unreliable, but that +left uncore in broken state. This was not noticed because on a regular boot +all CPUs are online before uncore is initialized. + +Move the allocation to the CPU online callback and simplify the hotplug +handling. At this point the package mapping is established and correct. + +Signed-off-by: Thomas Gleixner +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Sebastian Siewior +Cc: Stephane Eranian +Cc: Vince Weaver +Cc: Yasuaki Ishimatsu +Fixes: 9d85eb9119f4 ("x86/smpboot: Make logical package management more robust") +Link: http://lkml.kernel.org/r/20170131230141.377156255@linutronix.de +Signed-off-by: Ingo Molnar +--- + arch/x86/events/intel/uncore.c | 196 +++++++++++++++++++---------------------- + include/linux/cpuhotplug.h | 2 - + 2 files changed, 91 insertions(+), 107 deletions(-) + +diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c +index 19d646a..f2d760d 100644 +--- a/arch/x86/events/intel/uncore.c ++++ b/arch/x86/events/intel/uncore.c +@@ -100,7 +100,13 @@ ssize_t uncore_event_show(struct kobject *kobj, + + struct intel_uncore_box *uncore_pmu_to_box(struct intel_uncore_pmu *pmu, int cpu) + { +- return pmu->boxes[topology_logical_package_id(cpu)]; ++ unsigned int pkgid = topology_logical_package_id(cpu); ++ ++ /* ++ * The unsigned check also catches the '-1' return value for non ++ * existent mappings in the topology map. ++ */ ++ return pkgid < max_packages ? pmu->boxes[pkgid] : NULL; + } + + u64 uncore_msr_read_counter(struct intel_uncore_box *box, struct perf_event *event) +@@ -1033,76 +1039,6 @@ static void uncore_pci_exit(void) + } + } + +-static int uncore_cpu_dying(unsigned int cpu) +-{ +- struct intel_uncore_type *type, **types = uncore_msr_uncores; +- struct intel_uncore_pmu *pmu; +- struct intel_uncore_box *box; +- int i, pkg; +- +- pkg = topology_logical_package_id(cpu); +- for (; *types; types++) { +- type = *types; +- pmu = type->pmus; +- for (i = 0; i < type->num_boxes; i++, pmu++) { +- box = pmu->boxes[pkg]; +- if (box && atomic_dec_return(&box->refcnt) == 0) +- uncore_box_exit(box); +- } +- } +- return 0; +-} +- +-static int uncore_cpu_starting(unsigned int cpu) +-{ +- struct intel_uncore_type *type, **types = uncore_msr_uncores; +- struct intel_uncore_pmu *pmu; +- struct intel_uncore_box *box; +- int i, pkg; +- +- pkg = topology_logical_package_id(cpu); +- for (; *types; types++) { +- type = *types; +- pmu = type->pmus; +- for (i = 0; i < type->num_boxes; i++, pmu++) { +- box = pmu->boxes[pkg]; +- if (!box) +- continue; +- /* The first cpu on a package activates the box */ +- if (atomic_inc_return(&box->refcnt) == 1) +- uncore_box_init(box); +- } +- } +- +- return 0; +-} +- +-static int uncore_cpu_prepare(unsigned int cpu) +-{ +- struct intel_uncore_type *type, **types = uncore_msr_uncores; +- struct intel_uncore_pmu *pmu; +- struct intel_uncore_box *box; +- int i, pkg; +- +- pkg = topology_logical_package_id(cpu); +- for (; *types; types++) { +- type = *types; +- pmu = type->pmus; +- for (i = 0; i < type->num_boxes; i++, pmu++) { +- if (pmu->boxes[pkg]) +- continue; +- /* First cpu of a package allocates the box */ +- box = uncore_alloc_box(type, cpu_to_node(cpu)); +- if (!box) +- return -ENOMEM; +- box->pmu = pmu; +- box->pkgid = pkg; +- pmu->boxes[pkg] = box; +- } +- } +- return 0; +-} +- + static void uncore_change_type_ctx(struct intel_uncore_type *type, int old_cpu, + int new_cpu) + { +@@ -1142,12 +1078,14 @@ static void uncore_change_context(struct intel_uncore_type **uncores, + + static int uncore_event_cpu_offline(unsigned int cpu) + { +- int target; ++ struct intel_uncore_type *type, **types = uncore_msr_uncores; ++ struct intel_uncore_pmu *pmu; ++ struct intel_uncore_box *box; ++ int i, pkg, target; + + /* Check if exiting cpu is used for collecting uncore events */ + if (!cpumask_test_and_clear_cpu(cpu, &uncore_cpu_mask)) +- return 0; +- ++ goto unref; + /* Find a new cpu to collect uncore events */ + target = cpumask_any_but(topology_core_cpumask(cpu), cpu); + +@@ -1159,12 +1097,82 @@ static int uncore_event_cpu_offline(unsigned int cpu) + + uncore_change_context(uncore_msr_uncores, cpu, target); + uncore_change_context(uncore_pci_uncores, cpu, target); ++ ++unref: ++ /* Clear the references */ ++ pkg = topology_logical_package_id(cpu); ++ for (; *types; types++) { ++ type = *types; ++ pmu = type->pmus; ++ for (i = 0; i < type->num_boxes; i++, pmu++) { ++ box = pmu->boxes[pkg]; ++ if (box && atomic_dec_return(&box->refcnt) == 0) ++ uncore_box_exit(box); ++ } ++ } + return 0; + } + ++static int allocate_boxes(struct intel_uncore_type **types, ++ unsigned int pkg, unsigned int cpu) ++{ ++ struct intel_uncore_box *box, *tmp; ++ struct intel_uncore_type *type; ++ struct intel_uncore_pmu *pmu; ++ LIST_HEAD(allocated); ++ int i; ++ ++ /* Try to allocate all required boxes */ ++ for (; *types; types++) { ++ type = *types; ++ pmu = type->pmus; ++ for (i = 0; i < type->num_boxes; i++, pmu++) { ++ if (pmu->boxes[pkg]) ++ continue; ++ box = uncore_alloc_box(type, cpu_to_node(cpu)); ++ if (!box) ++ goto cleanup; ++ box->pmu = pmu; ++ box->pkgid = pkg; ++ list_add(&box->active_list, &allocated); ++ } ++ } ++ /* Install them in the pmus */ ++ list_for_each_entry_safe(box, tmp, &allocated, active_list) { ++ list_del_init(&box->active_list); ++ box->pmu->boxes[pkg] = box; ++ } ++ return 0; ++ ++cleanup: ++ list_for_each_entry_safe(box, tmp, &allocated, active_list) { ++ list_del_init(&box->active_list); ++ kfree(box); ++ } ++ return -ENOMEM; ++} ++ + static int uncore_event_cpu_online(unsigned int cpu) + { +- int target; ++ struct intel_uncore_type *type, **types = uncore_msr_uncores; ++ struct intel_uncore_pmu *pmu; ++ struct intel_uncore_box *box; ++ int i, ret, pkg, target; ++ ++ pkg = topology_logical_package_id(cpu); ++ ret = allocate_boxes(types, pkg, cpu); ++ if (ret) ++ return ret; ++ ++ for (; *types; types++) { ++ type = *types; ++ pmu = type->pmus; ++ for (i = 0; i < type->num_boxes; i++, pmu++) { ++ box = pmu->boxes[pkg]; ++ if (!box && atomic_inc_return(&box->refcnt) == 1) ++ uncore_box_init(box); ++ } ++ } + + /* + * Check if there is an online cpu in the package +@@ -1354,33 +1362,13 @@ static int __init intel_uncore_init(void) + if (cret && pret) + return -ENODEV; + +- /* +- * Install callbacks. Core will call them for each online cpu. +- * +- * The first online cpu of each package allocates and takes +- * the refcounts for all other online cpus in that package. +- * If msrs are not enabled no allocation is required and +- * uncore_cpu_prepare() is not called for each online cpu. +- */ +- if (!cret) { +- ret = cpuhp_setup_state(CPUHP_PERF_X86_UNCORE_PREP, +- "PERF_X86_UNCORE_PREP", +- uncore_cpu_prepare, NULL); +- if (ret) +- goto err; +- } else { +- cpuhp_setup_state_nocalls(CPUHP_PERF_X86_UNCORE_PREP, +- "PERF_X86_UNCORE_PREP", +- uncore_cpu_prepare, NULL); +- } +- +- cpuhp_setup_state(CPUHP_AP_PERF_X86_UNCORE_STARTING, +- "AP_PERF_X86_UNCORE_STARTING", +- uncore_cpu_starting, uncore_cpu_dying); +- +- cpuhp_setup_state(CPUHP_AP_PERF_X86_UNCORE_ONLINE, +- "AP_PERF_X86_UNCORE_ONLINE", +- uncore_event_cpu_online, uncore_event_cpu_offline); ++ /* Install hotplug callbacks to setup the targets for each package */ ++ ret = cpuhp_setup_state(CPUHP_AP_PERF_X86_UNCORE_ONLINE, ++ "AP_PERF_X86_UNCORE_ONLINE", ++ uncore_event_cpu_online, ++ uncore_event_cpu_offline); ++ if (ret) ++ goto err; + return 0; + + err: +@@ -1392,9 +1380,7 @@ module_init(intel_uncore_init); + + static void __exit intel_uncore_exit(void) + { +- cpuhp_remove_state_nocalls(CPUHP_AP_PERF_X86_UNCORE_ONLINE); +- cpuhp_remove_state_nocalls(CPUHP_AP_PERF_X86_UNCORE_STARTING); +- cpuhp_remove_state_nocalls(CPUHP_PERF_X86_UNCORE_PREP); ++ cpuhp_remove_state(CPUHP_AP_PERF_X86_UNCORE_ONLINE); + uncore_types_exit(uncore_msr_uncores); + uncore_pci_exit(); + } +diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h +index 965cc56..ce83119 100644 +--- a/include/linux/cpuhotplug.h ++++ b/include/linux/cpuhotplug.h +@@ -8,7 +8,6 @@ enum cpuhp_state { + CPUHP_CREATE_THREADS, + CPUHP_PERF_PREPARE, + CPUHP_PERF_X86_PREPARE, +- CPUHP_PERF_X86_UNCORE_PREP, + CPUHP_PERF_X86_AMD_UNCORE_PREP, + CPUHP_PERF_BFIN, + CPUHP_PERF_POWER, +@@ -63,7 +62,6 @@ enum cpuhp_state { + CPUHP_AP_IRQ_ARMADA_CASC_STARTING, + CPUHP_AP_IRQ_BCM2836_STARTING, + CPUHP_AP_ARM_MVEBU_COHERENCY, +- CPUHP_AP_PERF_X86_UNCORE_STARTING, + CPUHP_AP_PERF_X86_AMD_UNCORE_STARTING, + CPUHP_AP_PERF_X86_STARTING, + CPUHP_AP_PERF_X86_AMD_IBS_STARTING, +-- +2.9.3 +