From fad7f689ed88b2f3f0898fed8cf0a5feb38ad683 Mon Sep 17 00:00:00 2001
From: Nick Owens <mischief@coreos.com>
Date: Tue, 19 Jan 2016 14:35:01 -0800
Subject: [PATCH] sys-kernel/coreos-{sources,kernel}: apply patch for
 CVE-2016-0728

---
 ...1.ebuild => coreos-kernel-4.4.0-r2.ebuild} |  2 +-
 ....ebuild => coreos-sources-4.4.0-r1.ebuild} |  0
 .../4.4/0001-Add-secure_modules-call.patch    |  2 +-
 ...R-access-when-module-security-is-ena.patch |  2 +-
 ...-port-access-when-module-security-is.patch |  2 +-
 ...4-ACPI-Limit-access-to-custom_method.patch |  2 +-
 ...t-debugfs-interface-when-module-load.patch |  2 +-
 ...-and-dev-kmem-when-module-loading-is.patch |  2 +-
 ..._rsdp-kernel-parameter-when-module-l.patch |  2 +-
 ...-runtime-if-the-kernel-enforces-modu.patch |  2 +-
 ...-access-when-module-loading-is-restr.patch |  2 +-
 ...tomatically-enforce-module-signature.patch |  2 +-
 ...ECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch |  2 +-
 .../0012-efi-Add-EFI_SECURE_BOOT-bit.patch    |  2 +-
 ...able-in-a-signed-modules-environment.patch |  2 +-
 ...-copy-up-security-hooks-for-unioned-.patch |  2 +-
 ...Overlayfs-Use-copy-up-security-hooks.patch |  2 +-
 ...016-SELinux-Stub-in-copy-up-handling.patch |  2 +-
 ...nux-Handle-opening-of-a-unioned-file.patch |  2 +-
 ...ainst-union-label-for-file-operation.patch |  2 +-
 ...e-a-minimal-buffer-in-ovl_copy_xattr.patch |  2 +-
 ...lative-path-for-KBUILD_SRC-from-CURD.patch |  2 +-
 ...te-permissions-on-lower-inodes-on-ov.patch |  2 +-
 ...ing-ref-leak-in-join_session_keyring.patch | 75 +++++++++++++++++++
 24 files changed, 97 insertions(+), 22 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.4.0-r1.ebuild => coreos-kernel-4.4.0-r2.ebuild} (86%)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/{coreos-sources-4.4.0.ebuild => coreos-sources-4.4.0-r1.ebuild} (100%)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0022-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.4.0-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.4.0-r2.ebuild
similarity index 86%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.4.0-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.4.0-r2.ebuild
index ad6f2587f5..4cdc6203e3 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.4.0-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.4.0-r2.ebuild
@@ -2,7 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=5
-COREOS_SOURCE_REVISION=""
+COREOS_SOURCE_REVISION="-r1"
 inherit coreos-kernel
 
 DESCRIPTION="CoreOS Linux kernel"
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.0.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.0-r1.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.0.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-4.4.0-r1.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0001-Add-secure_modules-call.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0001-Add-secure_modules-call.patch
index 1429df6254..5833235d81 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0001-Add-secure_modules-call.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0001-Add-secure_modules-call.patch
@@ -1,7 +1,7 @@
 From ed3da1ded7b7581a9a1dc2b48f8ddc7975f3ea67 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 17:58:15 -0400
-Subject: [PATCH 01/21] Add secure_modules() call
+Subject: [PATCH 01/22] Add secure_modules() call
 
 Provide a single call to allow kernel code to determine whether the system
 has been configured to either disable module loading entirely or to load
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
index 738b26dd49..3ed5ae5ead 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0002-PCI-Lock-down-BAR-access-when-module-security-is-ena.patch
@@ -1,7 +1,7 @@
 From e797ce01ad3c0faa578734900a7c03ee04c06c08 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:10:38 -0500
-Subject: [PATCH 02/21] PCI: Lock down BAR access when module security is
+Subject: [PATCH 02/22] PCI: Lock down BAR access when module security is
  enabled
 
 Any hardware that can potentially generate DMA has to be locked down from
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch
index ed4ccc8926..1e9864b50a 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0003-x86-Lock-down-IO-port-access-when-module-security-is.patch
@@ -1,7 +1,7 @@
 From e1e4b600d77353180227e93c3dda49ebde147578 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:35:59 -0500
-Subject: [PATCH 03/21] x86: Lock down IO port access when module security is
+Subject: [PATCH 03/22] x86: Lock down IO port access when module security is
  enabled
 
 IO port access would permit users to gain access to PCI configuration
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0004-ACPI-Limit-access-to-custom_method.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0004-ACPI-Limit-access-to-custom_method.patch
index 91f1dcecf3..ba4dca5936 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0004-ACPI-Limit-access-to-custom_method.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0004-ACPI-Limit-access-to-custom_method.patch
@@ -1,7 +1,7 @@
 From 15647227ed911e525339ece57b4af9d369390bb0 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:39:37 -0500
-Subject: [PATCH 04/21] ACPI: Limit access to custom_method
+Subject: [PATCH 04/22] ACPI: Limit access to custom_method
 
 custom_method effectively allows arbitrary access to system memory, making
 it possible for an attacker to circumvent restrictions on module loading.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch
index ac2fa29926..bd75ccb844 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0005-asus-wmi-Restrict-debugfs-interface-when-module-load.patch
@@ -1,7 +1,7 @@
 From 5b0f82c10dd93fd281e5f31c01deea1f3e2af1d1 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:46:50 -0500
-Subject: [PATCH 05/21] asus-wmi: Restrict debugfs interface when module
+Subject: [PATCH 05/22] asus-wmi: Restrict debugfs interface when module
  loading is restricted
 
 We have no way of validating what all of the Asus WMI methods do on a
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
index 3f62ec6e7b..24ef032980 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0006-Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch
@@ -1,7 +1,7 @@
 From 37f5217e456a13bb92814e515616b0524fbf0a89 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 09:28:15 -0500
-Subject: [PATCH 06/21] Restrict /dev/mem and /dev/kmem when module loading is
+Subject: [PATCH 06/22] Restrict /dev/mem and /dev/kmem when module loading is
  restricted
 
 Allowing users to write to address space makes it possible for the kernel
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
index 09d311d482..db84d4d2b6 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0007-acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch
@@ -1,7 +1,7 @@
 From f41415ab2cf92434113fbc97fc856ddd6e8a88da Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Mon, 25 Jun 2012 19:57:30 -0400
-Subject: [PATCH 07/21] acpi: Ignore acpi_rsdp kernel parameter when module
+Subject: [PATCH 07/22] acpi: Ignore acpi_rsdp kernel parameter when module
  loading is restricted
 
 This option allows userspace to pass the RSDP address to the kernel, which
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
index 827ca648d3..a16f2b8566 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0008-kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch
@@ -1,7 +1,7 @@
 From e227953c81434fb5156dd2504aeee7960c37a0ad Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Thu, 19 Nov 2015 18:55:53 -0800
-Subject: [PATCH 08/21] kexec: Disable at runtime if the kernel enforces module
+Subject: [PATCH 08/22] kexec: Disable at runtime if the kernel enforces module
  loading restrictions
 
 kexec permits the loading and execution of arbitrary code in ring 0, which
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch
index 152e947bed..f5c3df0b86 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0009-x86-Restrict-MSR-access-when-module-loading-is-restr.patch
@@ -1,7 +1,7 @@
 From 1636adeff714c17d2c9a872e6be9b025df85ef64 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 8 Feb 2013 11:12:13 -0800
-Subject: [PATCH 09/21] x86: Restrict MSR access when module loading is
+Subject: [PATCH 09/22] x86: Restrict MSR access when module loading is
  restricted
 
 Writing to MSRs should not be allowed if module loading is restricted,
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0010-Add-option-to-automatically-enforce-module-signature.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0010-Add-option-to-automatically-enforce-module-signature.patch
index 36cfb7f6df..86e4f68c33 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0010-Add-option-to-automatically-enforce-module-signature.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0010-Add-option-to-automatically-enforce-module-signature.patch
@@ -1,7 +1,7 @@
 From f08b4a4b93bc28efe2d7aab38a6b44592d944dda Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 18:36:30 -0400
-Subject: [PATCH 10/21] Add option to automatically enforce module signatures
+Subject: [PATCH 10/22] Add option to automatically enforce module signatures
  when in Secure Boot mode
 
 UEFI Secure Boot provides a mechanism for ensuring that the firmware will
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
index fddf70b57d..fcb5c30903 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0011-efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
@@ -1,7 +1,7 @@
 From 9bfe6c0b8200244a9517979dc06d3d7bcf8fde4a Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:28:43 -0400
-Subject: [PATCH 11/21] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
+Subject: [PATCH 11/22] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
 
 The functionality of the config option is dependent upon the platform being
 UEFI based.  Reflect this in the config deps.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0012-efi-Add-EFI_SECURE_BOOT-bit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0012-efi-Add-EFI_SECURE_BOOT-bit.patch
index ac64b657d4..a86f208e2e 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0012-efi-Add-EFI_SECURE_BOOT-bit.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0012-efi-Add-EFI_SECURE_BOOT-bit.patch
@@ -1,7 +1,7 @@
 From 1b435189fb66e031edc4df509576448a96b4c3ff Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:33:03 -0400
-Subject: [PATCH 12/21] efi: Add EFI_SECURE_BOOT bit
+Subject: [PATCH 12/22] efi: Add EFI_SECURE_BOOT bit
 
 UEFI machines can be booted in Secure Boot mode.  Add a EFI_SECURE_BOOT bit
 for use with efi_enabled.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0013-hibernate-Disable-in-a-signed-modules-environment.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0013-hibernate-Disable-in-a-signed-modules-environment.patch
index 1285cb8cfc..948822607b 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0013-hibernate-Disable-in-a-signed-modules-environment.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0013-hibernate-Disable-in-a-signed-modules-environment.patch
@@ -1,7 +1,7 @@
 From e62a3871237bb79ef5e51b112eff7d940cf06020 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 20 Jun 2014 08:53:24 -0400
-Subject: [PATCH 13/21] hibernate: Disable in a signed modules environment
+Subject: [PATCH 13/22] hibernate: Disable in a signed modules environment
 
 There is currently no way to verify the resume image when returning
 from hibernate.  This might compromise the signed modules trust model,
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch
index e785cc4dfe..8b4c8d74b9 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0014-Security-Provide-copy-up-security-hooks-for-unioned-.patch
@@ -1,7 +1,7 @@
 From 70aadec167cb84865c6e85c1eccc218a024f86ef Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:31 +0100
-Subject: [PATCH 14/21] Security: Provide copy-up security hooks for unioned
+Subject: [PATCH 14/22] Security: Provide copy-up security hooks for unioned
  files
 
 Provide two new security hooks for use with security files that are used when
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0015-Overlayfs-Use-copy-up-security-hooks.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0015-Overlayfs-Use-copy-up-security-hooks.patch
index 4b391d76f7..af7a4b6f1b 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0015-Overlayfs-Use-copy-up-security-hooks.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0015-Overlayfs-Use-copy-up-security-hooks.patch
@@ -1,7 +1,7 @@
 From 2e1d35fb4b10cafc0dac63436f94fda8b4e738ee Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:31 +0100
-Subject: [PATCH 15/21] Overlayfs: Use copy-up security hooks
+Subject: [PATCH 15/22] Overlayfs: Use copy-up security hooks
 
 Use the copy-up security hooks previously provided to allow an LSM to adjust
 the security on a newly created copy and to filter the xattrs copied to that
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0016-SELinux-Stub-in-copy-up-handling.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0016-SELinux-Stub-in-copy-up-handling.patch
index ef7de809d8..9539e08d88 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0016-SELinux-Stub-in-copy-up-handling.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0016-SELinux-Stub-in-copy-up-handling.patch
@@ -1,7 +1,7 @@
 From df782b85901bc5a1e1d5c90895b0166cb7ba6260 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
-Subject: [PATCH 16/21] SELinux: Stub in copy-up handling
+Subject: [PATCH 16/22] SELinux: Stub in copy-up handling
 
 Provide stubs for union/overlay copy-up handling.  The xattr copy up stub
 discards lower SELinux xattrs rather than letting them be copied up so that
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0017-SELinux-Handle-opening-of-a-unioned-file.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0017-SELinux-Handle-opening-of-a-unioned-file.patch
index 5756d5e9a2..b101f90fbe 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0017-SELinux-Handle-opening-of-a-unioned-file.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0017-SELinux-Handle-opening-of-a-unioned-file.patch
@@ -1,7 +1,7 @@
 From ce05f979bd98e5f267330f47d9a26bbb138dc54f Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
-Subject: [PATCH 17/21] SELinux: Handle opening of a unioned file
+Subject: [PATCH 17/22] SELinux: Handle opening of a unioned file
 
 Handle the opening of a unioned file by trying to derive the label that would
 be attached to the union-layer inode if it doesn't exist.
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0018-SELinux-Check-against-union-label-for-file-operation.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0018-SELinux-Check-against-union-label-for-file-operation.patch
index deb93c7228..b29128420d 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0018-SELinux-Check-against-union-label-for-file-operation.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0018-SELinux-Check-against-union-label-for-file-operation.patch
@@ -1,7 +1,7 @@
 From f60b70463bb7493f60a27ac2d06058da87b062d9 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 16 Jun 2015 14:14:32 +0100
-Subject: [PATCH 18/21] SELinux: Check against union label for file operations
+Subject: [PATCH 18/22] SELinux: Check against union label for file operations
 
 File operations (eg. read, write) issued against a file that is attached to
 the lower layer of a union file needs to be checked against the union-layer
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch
index 25b3888272..50301f1b78 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0019-overlayfs-use-a-minimal-buffer-in-ovl_copy_xattr.patch
@@ -1,7 +1,7 @@
 From 116f798bcf3fd2ce4965cb15ec44c8180f0428c1 Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Mon, 19 Oct 2015 17:53:12 -0700
-Subject: [PATCH 19/21] overlayfs: use a minimal buffer in ovl_copy_xattr
+Subject: [PATCH 19/22] overlayfs: use a minimal buffer in ovl_copy_xattr
 
 Rather than always allocating the high-order XATTR_SIZE_MAX buffer
 which is costly and prone to failure, only allocate what is needed and
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
index 1432ce1a1b..03d1b10834 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0020-kbuild-derive-relative-path-for-KBUILD_SRC-from-CURD.patch
@@ -1,7 +1,7 @@
 From 6f682c2c88f74b45c3692a994d90ed51412b932b Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 20/21] kbuild: derive relative path for KBUILD_SRC from CURDIR
+Subject: [PATCH 20/22] kbuild: derive relative path for KBUILD_SRC from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch
index d088699615..b8450831e3 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0021-Don-t-verify-write-permissions-on-lower-inodes-on-ov.patch
@@ -1,7 +1,7 @@
 From 06ccab87d8c415e51bcf69e34bb27712bad8398f Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@coreos.com>
 Date: Tue, 22 Dec 2015 07:43:52 +0000
-Subject: [PATCH 21/21] Don't verify write permissions on lower inodes on
+Subject: [PATCH 21/22] Don't verify write permissions on lower inodes on
  overlayfs
 
 If a user opens a file r/w on overlayfs, and if the underlying inode is
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0022-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0022-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
new file mode 100644
index 0000000000..ba22f6cb60
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/4.4/0022-KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
@@ -0,0 +1,75 @@
+From fc94e26e760f2e752aa55f7b2d58fdcbeeef433e Mon Sep 17 00:00:00 2001
+From: Yevgeny Pats <yevgeny@perception-point.io>
+Date: Mon, 11 Jan 2016 12:05:28 +0000
+Subject: [PATCH 22/22] KEYS: Fix keyring ref leak in join_session_keyring()
+
+If a thread is asked to join as a session keyring the keyring that's already
+set as its session, we leak a keyring reference.
+
+This can be tested with the following program:
+
+	#include <stddef.h>
+	#include <stdio.h>
+	#include <sys/types.h>
+	#include <keyutils.h>
+
+	int main(int argc, const char *argv[])
+	{
+		int i = 0;
+		key_serial_t serial;
+
+		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
+				"leaked-keyring");
+		if (serial < 0) {
+			perror("keyctl");
+			return -1;
+		}
+
+		if (keyctl(KEYCTL_SETPERM, serial,
+			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
+			perror("keyctl");
+			return -1;
+		}
+
+		for (i = 0; i < 100; i++) {
+			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
+					"leaked-keyring");
+			if (serial < 0) {
+				perror("keyctl");
+				return -1;
+			}
+		}
+
+		return 0;
+	}
+
+If, after the program has run, there something like the following line in
+/proc/keys:
+
+3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
+
+with a usage count of 100 * the number of times the program has been run,
+then the kernel is malfunctioning.  If leaked-keyring has zero usages or
+has been garbage collected, then the problem is fixed.
+
+Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ security/keys/process_keys.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+index a3f85d2..e6d50172 100644
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
+ 		ret = PTR_ERR(keyring);
+ 		goto error2;
+ 	} else if (keyring == new->session_keyring) {
++		key_put(keyring);
+ 		ret = 0;
+ 		goto error2;
+ 	}
+-- 
+2.4.10
+