Merge remote-tracking branch 'origin/master'kernel-4.9.0-0.rc0.git2.1.vanilla.knurd.1.fc24

8 files changed, 21 insertions, 936 deletions

diff --git a/config-arm-generic b/config-arm-generic
index 4759a441d..5588faade 100644
--- a/config-arm-generic
+++ b/config-arm-generic
@@ -148,6 +148,7 @@ CONFIG_HW_RANDOM_BCM2835=m
 CONFIG_I2C_BCM2835=m
 CONFIG_SPI_BCM2835=m
 CONFIG_SPI_BCM2835AUX=m
+# CONFIG_SPI_BCM_QSPI is not set
 CONFIG_BCM2835_WDT=m
 CONFIG_SND_BCM2835_SOC_I2S=m
 CONFIG_DRM_VC4=m
@@ -686,6 +687,7 @@ CONFIG_NET_VENDOR_MELLANOX=y
 # CONFIG_REGULATOR_TPS65023 is not set
 # CONFIG_REGULATOR_TPS6507X is not set
 # CONFIG_REGULATOR_TPS6524X is not set
+# CONFIG_REGULATOR_LTC3676 is not set
 
 # drm
 # CONFIG_DRM_VMWGFX is not set
diff --git a/config-arm64 b/config-arm64
index c4d0a1e72..88197fc61 100644
--- a/config-arm64
+++ b/config-arm64
@@ -149,6 +149,7 @@ CONFIG_PCI_XGENE_MSI=y
 CONFIG_I2C_XGENE_SLIMPRO=m
 CONFIG_XGENE_SLIMPRO_MBOX=m
 CONFIG_MDIO_XGENE=m
+# CONFIG_SENSORS_XGENE is not set
 
 # AMD Seattle
 CONFIG_NET_SB1000=y
@@ -282,6 +283,7 @@ CONFIG_THUNDER_NIC_PF=m
 CONFIG_THUNDER_NIC_VF=m
 CONFIG_THUNDER_NIC_BGX=m
 # CONFIG_LIQUIDIO is not set
+# CONFIG_SPI_THUNDERX is not set
 
 CONFIG_SATA_AHCI_PLATFORM=y
 CONFIG_SATA_AHCI_SEATTLE=m
diff --git a/config-armv7 b/config-armv7
index eea55a205..e8427d59f 100644
--- a/config-armv7
+++ b/config-armv7
@@ -302,6 +302,8 @@ CONFIG_MSM_GCC_8974=m
 CONFIG_MSM_MMCC_8974=m
 CONFIG_MSM_GCC_8996=m
 CONFIG_MSM_MMCC_8996=m
+# CONFIG_MDM_GCC_9615 is not set
+# CONFIG_MDM_LCC_9615 is not set
 CONFIG_HW_RANDOM_MSM=m
 CONFIG_I2C_QUP=m
 CONFIG_SPI_QUP=m
diff --git a/config-generic b/config-generic
index 6bd3b4eb1..c61a050ab 100644
--- a/config-generic
+++ b/config-generic
@@ -222,6 +222,12 @@ CONFIG_BINFMT_MISC=m
 # CONFIG_COMMON_CLK_OXNAS is not set
 # CONFIG_COMMON_CLK_HI3519 is not set
 # CONFIG_SUNXI_CCU is not set
+# CONFIG_COMMON_CLK_MT8135 is not set
+# CONFIG_COMMON_CLK_MT8173 is not set
+# CONFIG_SUN6I_A31_CCU is not set
+# CONFIG_SUN8I_A23_CCU is not set
+# CONFIG_SUN8I_A33_CCU is not set
+
 
 #
 # Generic Driver Options
@@ -5455,11 +5461,14 @@ CONFIG_LEDS_TRIGGER_DISK=y
 CONFIG_LEDS_WM8350=m
 CONFIG_LEDS_WM831X_STATUS=m
 # CONFIG_LEDS_DAC124S085 is not set
+# CONFIG_LEDS_IS31FL319X is not set
 # Do not enable the below.  They selects the fw user helper, which we don't want
 # CONFIG_LEDS_LP5521 is not set
 # CONFIG_LEDS_LP5523 is not set
 # CONFIG_LEDS_LP5562 is not set
 # CONFIG_LEDS_LP55XX_COMMON is not set
+# CONFIG_LEDS_PM8058 is not set
+# CONFIG_LEDS_MLXCPLD is not set
 
 CONFIG_DMADEVICES=y
 CONFIG_DMA_ENGINE=y
diff --git a/gitrev b/gitrev
index d825b4063..f4ff20801 100644
--- a/gitrev
+++ b/gitrev
@@ -1 +1 @@
-21f54ddae449f4bdd9f1498124901d67202243d9
+a3443cda5588985a2724d6d0f4a5f04e625be6eb
diff --git a/kernel.spec b/kernel.spec
index e4dc7d8c9..430dcc03e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -77,7 +77,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 0
 # The git snapshot level
-%define gitrev 1
+%define gitrev 2
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@@ -623,9 +623,6 @@ Patch842: qxl-reapply-cursor-after-SetCrtc-calls.patch
 # From kernel list, currently in linux-next
 Patch845: HID-microsoft-Add-Surface-4-type-cover-pro-4-JP.patch
 
-# SELinux OverlayFS support (queued for 4.9)
-Patch846: security-selinux-overlayfs-support.patch
-
 #rhbz 1360688
 Patch847: rc-core-fix-repeat-events.patch
 
@@ -2177,6 +2174,9 @@ fi
 #
 #
 %changelog
+* Wed Oct 05 2016 Laura Abbott <labbott@redhat.com> - 4.9.0-0.rc0.git2.1
+- Linux v4.8-2283-ga3443cd
+
 * Tue Oct 04 2016 Laura Abbott <labbott@redhat.com> - 4.9.0-0.rc0.git1.1
 - Linux v4.8-1558-g21f54dd
 - Reenable debugging options.
diff --git a/security-selinux-overlayfs-support.patch b/security-selinux-overlayfs-support.patch
deleted file mode 100644
index 7149e4566..000000000
--- a/security-selinux-overlayfs-support.patch
+++ /dev/null
@@ -1,931 +0,0 @@
-From 1a93a6eac32a2853177f10e274b9b761b42356eb Mon Sep 17 00:00:00 2001
-From: Javier Martinez Canillas <javier@osg.samsung.com>
-Date: Mon, 8 Aug 2016 13:08:25 -0400
-Subject: [PATCH 01/10] security: Use IS_ENABLED() instead of checking for
- built-in or module
-
-The IS_ENABLED() macro checks if a Kconfig symbol has been enabled
-either built-in or as a module, use that macro instead of open coding
-the same.
-
-Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
-Acked-by: Casey Schaufler <casey@schaufler-ca.com>
-Signed-off-by: Paul Moore <paul@paul-moore.com>
----
- security/lsm_audit.c             |  2 +-
- security/selinux/hooks.c         | 12 ++++++------
- security/smack/smack_netfilter.c |  4 ++--
- 3 files changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/security/lsm_audit.c b/security/lsm_audit.c
-index cccbf30..5369036 100644
---- a/security/lsm_audit.c
-+++ b/security/lsm_audit.c
-@@ -99,7 +99,7 @@ int ipv4_skb_to_auditdata(struct sk_buff *skb,
- 	}
- 	return ret;
- }
--#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-+#if IS_ENABLED(CONFIG_IPV6)
- /**
-  * ipv6_skb_to_auditdata : fill auditdata from skb
-  * @skb : the skb
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 13185a6..880f953 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -3984,7 +3984,7 @@ out:
- 	return ret;
- }
-
--#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-+#if IS_ENABLED(CONFIG_IPV6)
-
- /* Returns error only if unable to parse addresses */
- static int selinux_parse_skb_ipv6(struct sk_buff *skb,
-@@ -4075,7 +4075,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
- 				       &ad->u.net->v4info.daddr);
- 		goto okay;
-
--#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-+#if IS_ENABLED(CONFIG_IPV6)
- 	case PF_INET6:
- 		ret = selinux_parse_skb_ipv6(skb, ad, proto);
- 		if (ret)
-@@ -5029,7 +5029,7 @@ static unsigned int selinux_ipv4_forward(void *priv,
- 	return selinux_ip_forward(skb, state->in, PF_INET);
- }
-
--#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-+#if IS_ENABLED(CONFIG_IPV6)
- static unsigned int selinux_ipv6_forward(void *priv,
- 					 struct sk_buff *skb,
- 					 const struct nf_hook_state *state)
-@@ -5087,7 +5087,7 @@ static unsigned int selinux_ipv4_output(void *priv,
- 	return selinux_ip_output(skb, PF_INET);
- }
-
--#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-+#if IS_ENABLED(CONFIG_IPV6)
- static unsigned int selinux_ipv6_output(void *priv,
- 					struct sk_buff *skb,
- 					const struct nf_hook_state *state)
-@@ -5273,7 +5273,7 @@ static unsigned int selinux_ipv4_postroute(void *priv,
- 	return selinux_ip_postroute(skb, state->out, PF_INET);
- }
-
--#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-+#if IS_ENABLED(CONFIG_IPV6)
- static unsigned int selinux_ipv6_postroute(void *priv,
- 					   struct sk_buff *skb,
- 					   const struct nf_hook_state *state)
-@@ -6317,7 +6317,7 @@ static struct nf_hook_ops selinux_nf_ops[] = {
- 		.hooknum =	NF_INET_LOCAL_OUT,
- 		.priority =	NF_IP_PRI_SELINUX_FIRST,
- 	},
--#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-+#if IS_ENABLED(CONFIG_IPV6)
- 	{
- 		.hook =		selinux_ipv6_postroute,
- 		.pf =		NFPROTO_IPV6,
-diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
-index aa6bf1b..205b785 100644
---- a/security/smack/smack_netfilter.c
-+++ b/security/smack/smack_netfilter.c
-@@ -20,7 +20,7 @@
- #include <net/inet_sock.h>
- #include "smack.h"
-
--#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-+#if IS_ENABLED(CONFIG_IPV6)
-
- static unsigned int smack_ipv6_output(void *priv,
- 					struct sk_buff *skb,
-@@ -64,7 +64,7 @@ static struct nf_hook_ops smack_nf_ops[] = {
- 		.hooknum =	NF_INET_LOCAL_OUT,
- 		.priority =	NF_IP_PRI_SELINUX_FIRST,
- 	},
--#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-+#if IS_ENABLED(CONFIG_IPV6)
- 	{
- 		.hook =		smack_ipv6_output,
- 		.pf =		NFPROTO_IPV6,
--- 
-2.7.4
-
-From 8b31f456c72e53ee97474a538bcd91bfb1b93fb7 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Mon, 8 Aug 2016 13:08:34 -0400
-Subject: [PATCH 02/10] selinux: print leading 0x on ioctlcmd audits
-
-ioctlcmd is currently printing hex numbers, but their is no leading
-0x. Thus things like ioctlcmd=1234 are misleading, as the base is
-not evident.
-
-Correct this by adding 0x as a prefix, so ioctlcmd=1234 becomes
-ioctlcmd=0x1234.
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
-Signed-off-by: Paul Moore <paul@paul-moore.com>
----
- security/lsm_audit.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/security/lsm_audit.c b/security/lsm_audit.c
-index 5369036..9bf8518 100644
---- a/security/lsm_audit.c
-+++ b/security/lsm_audit.c
-@@ -257,7 +257,7 @@ static void dump_common_audit_data(struct audit_buffer *ab,
- 			audit_log_format(ab, " ino=%lu", inode->i_ino);
- 		}
-
--		audit_log_format(ab, " ioctlcmd=%hx", a->u.op->cmd);
-+		audit_log_format(ab, " ioctlcmd=0x%hx", a->u.op->cmd);
- 		break;
- 	}
- 	case LSM_AUDIT_DATA_DENTRY: {
--- 
-2.7.4
-
-From d8ad8b49618410ddeafd78465b63a6cedd6c9484 Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Wed, 13 Jul 2016 11:13:56 -0400
-Subject: [PATCH 03/10] security, overlayfs: provide copy up security hook for
- unioned files
-
-Provide a security hook to label new file correctly when a file is copied
-up from lower layer to upper layer of a overlay/union mount.
-
-This hook can prepare a new set of creds which are suitable for new file
-creation during copy up. Caller will use new creds to create file and then
-revert back to old creds and release new creds.
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
-[PM: whitespace cleanup to appease checkpatch.pl]
-Signed-off-by: Paul Moore <paul@paul-moore.com>
----
- fs/overlayfs/copy_up.c    | 15 +++++++++++++++
- include/linux/lsm_hooks.h | 11 +++++++++++
- include/linux/security.h  |  6 ++++++
- security/security.c       |  8 ++++++++
- 4 files changed, 40 insertions(+)
-
-diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
-index 54e5d66..c297b1f 100644
---- a/fs/overlayfs/copy_up.c
-+++ b/fs/overlayfs/copy_up.c
-@@ -246,6 +246,8 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
- 	struct dentry *upper = NULL;
- 	umode_t mode = stat->mode;
- 	int err;
-+	const struct cred *old_creds = NULL;
-+	struct cred *new_creds = NULL;
-
- 	newdentry = ovl_lookup_temp(workdir, dentry);
- 	err = PTR_ERR(newdentry);
-@@ -258,10 +260,23 @@ static int ovl_copy_up_locked(struct dentry *workdir, struct dentry *upperdir,
- 	if (IS_ERR(upper))
- 		goto out1;
-
-+	err = security_inode_copy_up(dentry, &new_creds);
-+	if (err < 0)
-+		goto out2;
-+
-+	if (new_creds)
-+		old_creds = override_creds(new_creds);
-+
- 	/* Can't properly set mode on creation because of the umask */
- 	stat->mode &= S_IFMT;
- 	err = ovl_create_real(wdir, newdentry, stat, link, NULL, true);
- 	stat->mode = mode;
-+
-+	if (new_creds) {
-+		revert_creds(old_creds);
-+		put_cred(new_creds);
-+	}
-+
- 	if (err)
- 		goto out2;
-
-diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
-index 101bf19..cb69fc8 100644
---- a/include/linux/lsm_hooks.h
-+++ b/include/linux/lsm_hooks.h
-@@ -401,6 +401,15 @@
-  *	@inode contains a pointer to the inode.
-  *	@secid contains a pointer to the location where result will be saved.
-  *	In case of failure, @secid will be set to zero.
-+ * @inode_copy_up:
-+ *	A file is about to be copied up from lower layer to upper layer of
-+ *	overlay filesystem. Security module can prepare a set of new creds
-+ *	and modify as need be and return new creds. Caller will switch to
-+ *	new creds temporarily to create new file and release newly allocated
-+ *	creds.
-+ *	@src indicates the union dentry of file that is being copied up.
-+ *	@new pointer to pointer to return newly allocated creds.
-+ *	Returns 0 on success or a negative error code on error.
-  *
-  * Security hooks for file operations
-  *
-@@ -1425,6 +1434,7 @@ union security_list_options {
- 	int (*inode_listsecurity)(struct inode *inode, char *buffer,
- 					size_t buffer_size);
- 	void (*inode_getsecid)(struct inode *inode, u32 *secid);
-+	int (*inode_copy_up)(struct dentry *src, struct cred **new);
-
- 	int (*file_permission)(struct file *file, int mask);
- 	int (*file_alloc_security)(struct file *file);
-@@ -1696,6 +1706,7 @@ struct security_hook_heads {
- 	struct list_head inode_setsecurity;
- 	struct list_head inode_listsecurity;
- 	struct list_head inode_getsecid;
-+	struct list_head inode_copy_up;
- 	struct list_head file_permission;
- 	struct list_head file_alloc_security;
- 	struct list_head file_free_security;
-diff --git a/include/linux/security.h b/include/linux/security.h
-index 7831cd5..c5b0ccd 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -282,6 +282,7 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf
- int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
- int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
- void security_inode_getsecid(struct inode *inode, u32 *secid);
-+int security_inode_copy_up(struct dentry *src, struct cred **new);
- int security_file_permission(struct file *file, int mask);
- int security_file_alloc(struct file *file);
- void security_file_free(struct file *file);
-@@ -758,6 +759,11 @@ static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
- 	*secid = 0;
- }
-
-+static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
-+{
-+	return 0;
-+}
-+
- static inline int security_file_permission(struct file *file, int mask)
- {
- 	return 0;
-diff --git a/security/security.c b/security/security.c
-index 4838e7f..f2a7f27 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -748,6 +748,12 @@ void security_inode_getsecid(struct inode *inode, u32 *secid)
- 	call_void_hook(inode_getsecid, inode, secid);
- }
-
-+int security_inode_copy_up(struct dentry *src, struct cred **new)
-+{
-+	return call_int_hook(inode_copy_up, 0, src, new);
-+}
-+EXPORT_SYMBOL(security_inode_copy_up);
-+
- int security_file_permission(struct file *file, int mask)
- {
- 	int ret;
-@@ -1684,6 +1690,8 @@ struct security_hook_heads security_hook_heads = {
- 		LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
- 	.inode_getsecid =
- 		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
-+	.inode_copy_up =
-+		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
- 	.file_permission =
- 		LIST_HEAD_INIT(security_hook_heads.file_permission),
- 	.file_alloc_security =
--- 
-2.7.4
-
-From 56909eb3f559103196ecbf2c08c923e0804980fb Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Wed, 13 Jul 2016 10:44:48 -0400
-Subject: [PATCH 04/10] selinux: Implementation for inode_copy_up() hook
-
-A file is being copied up for overlay file system. Prepare a new set of
-creds and set create_sid appropriately so that new file is created with
-appropriate label.
-
-Overlay inode has right label for both context and non-context mount
-cases. In case of non-context mount, overlay inode will have the label
-of lower file and in case of context mount, overlay inode will have
-the label from context= mount option.
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
-Signed-off-by: Paul Moore <paul@paul-moore.com>
----
- security/selinux/hooks.c | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 880f953..40597ed 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -3293,6 +3293,26 @@ static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
- 	*secid = isec->sid;
- }
-
-+static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
-+{
-+	u32 sid;
-+	struct task_security_struct *tsec;
-+	struct cred *new_creds = *new;
-+
-+	if (new_creds == NULL) {
-+		new_creds = prepare_creds();
-+		if (!new_creds)
-+			return -ENOMEM;
-+	}
-+
-+	tsec = new_creds->security;
-+	/* Get label from overlay inode and set it in create_sid */
-+	selinux_inode_getsecid(d_inode(src), &sid);
-+	tsec->create_sid = sid;
-+	*new = new_creds;
-+	return 0;
-+}
-+
- /* file security operations */
-
- static int selinux_revalidate_file_permission(struct file *file, int mask)
-@@ -6088,6 +6108,7 @@ static struct security_hook_list selinux_hooks[] = {
- 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
- 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
- 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
-+	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
-
- 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
- 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
--- 
-2.7.4
-
-From 121ab822ef21914adac2fa3730efeeb8fd762473 Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Wed, 13 Jul 2016 10:44:49 -0400
-Subject: [PATCH 05/10] security,overlayfs: Provide security hook for copy up
- of xattrs for overlay file
-
-Provide a security hook which is called when xattrs of a file are being
-copied up. This hook is called once for each xattr and LSM can return
-0 if the security module wants the xattr to be copied up, 1 if the
-security module wants the xattr to be discarded on the copy, -EOPNOTSUPP
-if the security module does not handle/manage the xattr, or a -errno
-upon an error.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
-[PM: whitespace cleanup for checkpatch.pl]
-Signed-off-by: Paul Moore <paul@paul-moore.com>
----
- fs/overlayfs/copy_up.c    |  7 +++++++
- include/linux/lsm_hooks.h | 10 ++++++++++
- include/linux/security.h  |  6 ++++++
- security/security.c       |  8 ++++++++
- 4 files changed, 31 insertions(+)
-
-diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
-index c297b1f..cd65f12 100644
---- a/fs/overlayfs/copy_up.c
-+++ b/fs/overlayfs/copy_up.c
-@@ -103,6 +103,13 @@ retry:
- 			goto retry;
- 		}
-
-+		error = security_inode_copy_up_xattr(name);
-+		if (error < 0 && error != -EOPNOTSUPP)
-+			break;
-+		if (error == 1) {
-+			error = 0;
-+			continue; /* Discard */
-+		}
- 		error = vfs_setxattr(new, name, value, size, 0);
- 		if (error)
- 			break;
-diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
-index cb69fc8..5797122 100644
---- a/include/linux/lsm_hooks.h
-+++ b/include/linux/lsm_hooks.h
-@@ -410,6 +410,14 @@
-  *	@src indicates the union dentry of file that is being copied up.
-  *	@new pointer to pointer to return newly allocated creds.
-  *	Returns 0 on success or a negative error code on error.
-+ * @inode_copy_up_xattr:
-+ *	Filter the xattrs being copied up when a unioned file is copied
-+ *	up from a lower layer to the union/overlay layer.
-+ *	@name indicates the name of the xattr.
-+ *	Returns 0 to accept the xattr, 1 to discard the xattr, -EOPNOTSUPP if
-+ *	security module does not know about attribute or a negative error code
-+ *	to abort the copy up. Note that the caller is responsible for reading
-+ *	and writing the xattrs as this hook is merely a filter.
-  *
-  * Security hooks for file operations
-  *
-@@ -1435,6 +1443,7 @@ union security_list_options {
- 					size_t buffer_size);
- 	void (*inode_getsecid)(struct inode *inode, u32 *secid);
- 	int (*inode_copy_up)(struct dentry *src, struct cred **new);
-+	int (*inode_copy_up_xattr)(const char *name);
-
- 	int (*file_permission)(struct file *file, int mask);
- 	int (*file_alloc_security)(struct file *file);
-@@ -1707,6 +1716,7 @@ struct security_hook_heads {
- 	struct list_head inode_listsecurity;
- 	struct list_head inode_getsecid;
- 	struct list_head inode_copy_up;
-+	struct list_head inode_copy_up_xattr;
- 	struct list_head file_permission;
- 	struct list_head file_alloc_security;
- 	struct list_head file_free_security;
-diff --git a/include/linux/security.h b/include/linux/security.h
-index c5b0ccd..536fafd 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -283,6 +283,7 @@ int security_inode_setsecurity(struct inode *inode, const char *name, const void
- int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
- void security_inode_getsecid(struct inode *inode, u32 *secid);
- int security_inode_copy_up(struct dentry *src, struct cred **new);
-+int security_inode_copy_up_xattr(const char *name);
- int security_file_permission(struct file *file, int mask);
- int security_file_alloc(struct file *file);
- void security_file_free(struct file *file);
-@@ -764,6 +765,11 @@ static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
- 	return 0;
- }
-
-+static inline int security_inode_copy_up_xattr(const char *name)
-+{
-+	return -EOPNOTSUPP;
-+}
-+
- static inline int security_file_permission(struct file *file, int mask)
- {
- 	return 0;
-diff --git a/security/security.c b/security/security.c
-index f2a7f27..a9e2bb9 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -754,6 +754,12 @@ int security_inode_copy_up(struct dentry *src, struct cred **new)
- }
- EXPORT_SYMBOL(security_inode_copy_up);
-
-+int security_inode_copy_up_xattr(const char *name)
-+{
-+	return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name);
-+}
-+EXPORT_SYMBOL(security_inode_copy_up_xattr);
-+
- int security_file_permission(struct file *file, int mask)
- {
- 	int ret;
-@@ -1692,6 +1698,8 @@ struct security_hook_heads security_hook_heads = {
- 		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
- 	.inode_copy_up =
- 		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
-+	.inode_copy_up_xattr =
-+		LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),
- 	.file_permission =
- 		LIST_HEAD_INIT(security_hook_heads.file_permission),
- 	.file_alloc_security =
--- 
-2.7.4
-
-From 19472b69d639d58415866bf127d5f9005038c105 Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Wed, 13 Jul 2016 10:44:50 -0400
-Subject: [PATCH 06/10] selinux: Implementation for inode_copy_up_xattr() hook
-
-When a file is copied up in overlay, we have already created file on
-upper/ with right label and there is no need to copy up selinux
-label/xattr from lower file to upper file. In fact in case of context
-mount, we don't want to copy up label as newly created file got its label
-from context= option.
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
-Signed-off-by: Paul Moore <paul@paul-moore.com>
----
- security/selinux/hooks.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index 40597ed..a2d5108 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -3313,6 +3313,21 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
- 	return 0;
- }
-
-+static int selinux_inode_copy_up_xattr(const char *name)
-+{
-+	/* The copy_up hook above sets the initial context on an inode, but we
-+	 * don't then want to overwrite it by blindly copying all the lower
-+	 * xattrs up.  Instead, we have to filter out SELinux-related xattrs.
-+	 */
-+	if (strcmp(name, XATTR_NAME_SELINUX) == 0)
-+		return 1; /* Discard */
-+	/*
-+	 * Any other attribute apart from SELINUX is not claimed, supported
-+	 * by selinux.
-+	 */
-+	return -EOPNOTSUPP;
-+}
-+
- /* file security operations */
-
- static int selinux_revalidate_file_permission(struct file *file, int mask)
-@@ -6109,6 +6124,7 @@ static struct security_hook_list selinux_hooks[] = {
- 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
- 	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
- 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
-+	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
-
- 	LSM_HOOK_INIT(file_permission, selinux_file_permission),
- 	LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
--- 
-2.7.4
-
-From c957f6df52c509ccfbb96659fd1a0f7812de333f Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Wed, 13 Jul 2016 10:44:51 -0400
-Subject: [PATCH 07/10] selinux: Pass security pointer to
- determine_inode_label()
-
-Right now selinux_determine_inode_label() works on security pointer of
-current task. Soon I need this to work on a security pointer retrieved
-from a set of creds. So start passing in a pointer and caller can
-decide where to fetch security pointer from.
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
-Signed-off-by: Paul Moore <paul@paul-moore.com>
----
- security/selinux/hooks.c | 19 ++++++++++---------
- 1 file changed, 10 insertions(+), 9 deletions(-)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index a2d5108..f9d398b 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -1808,13 +1808,13 @@ out:
- /*
-  * Determine the label for an inode that might be unioned.
-  */
--static int selinux_determine_inode_label(struct inode *dir,
--					 const struct qstr *name,
--					 u16 tclass,
--					 u32 *_new_isid)
-+static int
-+selinux_determine_inode_label(const struct task_security_struct *tsec,
-+				 struct inode *dir,
-+				 const struct qstr *name, u16 tclass,
-+				 u32 *_new_isid)
- {
- 	const struct superblock_security_struct *sbsec = dir->i_sb->s_security;
--	const struct task_security_struct *tsec = current_security();
-
- 	if ((sbsec->flags & SE_SBINITIALIZED) &&
- 	    (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) {
-@@ -1857,8 +1857,8 @@ static int may_create(struct inode *dir,
- 	if (rc)
- 		return rc;
-
--	rc = selinux_determine_inode_label(dir, &dentry->d_name, tclass,
--					   &newsid);
-+	rc = selinux_determine_inode_label(current_security(), dir,
-+					   &dentry->d_name, tclass, &newsid);
- 	if (rc)
- 		return rc;
-
-@@ -2838,7 +2838,8 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
- 	u32 newsid;
- 	int rc;
-
--	rc = selinux_determine_inode_label(d_inode(dentry->d_parent), name,
-+	rc = selinux_determine_inode_label(current_security(),
-+					   d_inode(dentry->d_parent), name,
- 					   inode_mode_to_security_class(mode),
- 					   &newsid);
- 	if (rc)
-@@ -2863,7 +2864,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
- 	sid = tsec->sid;
- 	newsid = tsec->create_sid;
-
--	rc = selinux_determine_inode_label(
-+	rc = selinux_determine_inode_label(current_security(),
- 		dir, qstr,
- 		inode_mode_to_security_class(inode->i_mode),
- 		&newsid);
--- 
-2.7.4
-
-From 2602625b7e46576b00db619ac788c508ba3bcb2c Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Wed, 13 Jul 2016 10:44:52 -0400
-Subject: [PATCH 08/10] security, overlayfs: Provide hook to correctly label
- newly created files
-
-During a new file creation we need to make sure new file is created with the
-right label. New file is created in upper/ so effectively file should get
-label as if task had created file in upper/.
-
-We switched to mounter's creds for actual file creation. Also if there is a
-whiteout present, then file will be created in work/ dir first and then
-renamed in upper. In none of the cases file will be labeled as we want it to
-be.
-
-This patch introduces a new hook dentry_create_files_as(), which determines
-the label/context dentry will get if it had been created by task in upper
-and modify passed set of creds appropriately. Caller makes use of these new
-creds for file creation.
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
-[PM: fix whitespace issues found with checkpatch.pl]
-[PM: changes to use stat->mode in ovl_create_or_link()]
-Signed-off-by: Paul Moore <paul@paul-moore.com>
----
- fs/overlayfs/dir.c        | 10 ++++++++++
- include/linux/lsm_hooks.h | 15 +++++++++++++++
- include/linux/security.h  | 12 ++++++++++++
- security/security.c       | 11 +++++++++++
- 4 files changed, 48 insertions(+)
-
-diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
-index 12bcd07..a155e52 100644
---- a/fs/overlayfs/dir.c
-+++ b/fs/overlayfs/dir.c
-@@ -435,6 +435,15 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode,
- 	if (override_cred) {
- 		override_cred->fsuid = inode->i_uid;
- 		override_cred->fsgid = inode->i_gid;
-+		if (!hardlink) {
-+			err = security_dentry_create_files_as(dentry,
-+					stat->mode, &dentry->d_name, old_cred,
-+					override_cred);
-+			if (err) {
-+				put_cred(override_cred);
-+				goto out_revert_creds;
-+			}
-+		}
- 		put_cred(override_creds(override_cred));
- 		put_cred(override_cred);
-
-@@ -445,6 +454,7 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode,
- 			err = ovl_create_over_whiteout(dentry, inode, stat,
- 							link, hardlink);
- 	}
-+out_revert_creds:
- 	revert_creds(old_cred);
- 	if (!err) {
- 		struct inode *realinode = d_inode(ovl_dentry_upper(dentry));
-diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
-index 5797122..f2af2af 100644
---- a/include/linux/lsm_hooks.h
-+++ b/include/linux/lsm_hooks.h
-@@ -151,6 +151,16 @@
-  *	@name name of the last path component used to create file
-  *	@ctx pointer to place the pointer to the resulting context in.
-  *	@ctxlen point to place the length of the resulting context.
-+ * @dentry_create_files_as:
-+ *	Compute a context for a dentry as the inode is not yet available
-+ *	and set that context in passed in creds so that new files are
-+ *	created using that context. Context is calculated using the
-+ *	passed in creds and not the creds of the caller.
-+ *	@dentry dentry to use in calculating the context.
-+ *	@mode mode used to determine resource type.
-+ *	@name name of the last path component used to create file
-+ *	@old creds which should be used for context calculation
-+ *	@new creds to modify
-  *
-  *
-  * Security hooks for inode operations.
-@@ -1375,6 +1385,10 @@ union security_list_options {
- 	int (*dentry_init_security)(struct dentry *dentry, int mode,
- 					const struct qstr *name, void **ctx,
- 					u32 *ctxlen);
-+	int (*dentry_create_files_as)(struct dentry *dentry, int mode,
-+					struct qstr *name,
-+					const struct cred *old,
-+					struct cred *new);
-
-
- #ifdef CONFIG_SECURITY_PATH
-@@ -1675,6 +1689,7 @@ struct security_hook_heads {
- 	struct list_head sb_clone_mnt_opts;
- 	struct list_head sb_parse_opts_str;
- 	struct list_head dentry_init_security;
-+	struct list_head dentry_create_files_as;
- #ifdef CONFIG_SECURITY_PATH
- 	struct list_head path_unlink;
- 	struct list_head path_mkdir;
-diff --git a/include/linux/security.h b/include/linux/security.h
-index 536fafd..a6c6d5d 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -242,6 +242,10 @@ int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
- int security_dentry_init_security(struct dentry *dentry, int mode,
- 					const struct qstr *name, void **ctx,
- 					u32 *ctxlen);
-+int security_dentry_create_files_as(struct dentry *dentry, int mode,
-+					struct qstr *name,
-+					const struct cred *old,
-+					struct cred *new);
-
- int security_inode_alloc(struct inode *inode);
- void security_inode_free(struct inode *inode);
-@@ -600,6 +604,14 @@ static inline int security_dentry_init_security(struct dentry *dentry,
- 	return -EOPNOTSUPP;
- }
-
-+static inline int security_dentry_create_files_as(struct dentry *dentry,
-+						  int mode, struct qstr *name,
-+						  const struct cred *old,
-+						  struct cred *new)
-+{
-+	return 0;
-+}
-+
-
- static inline int security_inode_init_security(struct inode *inode,
- 						struct inode *dir,
-diff --git a/security/security.c b/security/security.c
-index a9e2bb9..f825304 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -364,6 +364,15 @@ int security_dentry_init_security(struct dentry *dentry, int mode,
- }
- EXPORT_SYMBOL(security_dentry_init_security);
-
-+int security_dentry_create_files_as(struct dentry *dentry, int mode,
-+				    struct qstr *name,
-+				    const struct cred *old, struct cred *new)
-+{
-+	return call_int_hook(dentry_create_files_as, 0, dentry, mode,
-+				name, old, new);
-+}
-+EXPORT_SYMBOL(security_dentry_create_files_as);
-+
- int security_inode_init_security(struct inode *inode, struct inode *dir,
- 				 const struct qstr *qstr,
- 				 const initxattrs initxattrs, void *fs_data)
-@@ -1635,6 +1644,8 @@ struct security_hook_heads security_hook_heads = {
- 		LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str),
- 	.dentry_init_security =
- 		LIST_HEAD_INIT(security_hook_heads.dentry_init_security),
-+	.dentry_create_files_as =
-+		LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as),
- #ifdef CONFIG_SECURITY_PATH
- 	.path_unlink =	LIST_HEAD_INIT(security_hook_heads.path_unlink),
- 	.path_mkdir =	LIST_HEAD_INIT(security_hook_heads.path_mkdir),
--- 
-2.7.4
-
-From a518b0a5b0d7f3397e065acb956bca9635aa892d Mon Sep 17 00:00:00 2001
-From: Vivek Goyal <vgoyal@redhat.com>
-Date: Wed, 13 Jul 2016 10:44:53 -0400
-Subject: [PATCH 09/10] selinux: Implement dentry_create_files_as() hook
-
-Calculate what would be the label of newly created file and set that
-secid in the passed creds.
-
-Context of the task which is actually creating file is retrieved from
-set of creds passed in. (old->security).
-
-Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
-Signed-off-by: Paul Moore <paul@paul-moore.com>
----
- security/selinux/hooks.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
-index f9d398b..e15e560 100644
---- a/security/selinux/hooks.c
-+++ b/security/selinux/hooks.c
-@@ -2848,6 +2848,27 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
- 	return security_sid_to_context(newsid, (char **)ctx, ctxlen);
- }
-
-+static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,
-+					  struct qstr *name,
-+					  const struct cred *old,
-+					  struct cred *new)
-+{
-+	u32 newsid;
-+	int rc;
-+	struct task_security_struct *tsec;
-+
-+	rc = selinux_determine_inode_label(old->security,
-+					   d_inode(dentry->d_parent), name,
-+					   inode_mode_to_security_class(mode),
-+					   &newsid);
-+	if (rc)
-+		return rc;
-+
-+	tsec = new->security;
-+	tsec->create_sid = newsid;
-+	return 0;
-+}
-+
- static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
- 				       const struct qstr *qstr,
- 				       const char **name,
-@@ -6098,6 +6119,7 @@ static struct security_hook_list selinux_hooks[] = {
- 	LSM_HOOK_INIT(sb_parse_opts_str, selinux_parse_opts_str),
-
- 	LSM_HOOK_INIT(dentry_init_security, selinux_dentry_init_security),
-+	LSM_HOOK_INIT(dentry_create_files_as, selinux_dentry_create_files_as),
-
- 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
- 	LSM_HOOK_INIT(inode_free_security, selinux_inode_free_security),
--- 
-2.7.4
-
-From 348a0db9e69e4c214bf5d7677f17cb99cdc47db0 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Mon, 15 Aug 2016 12:42:12 -0700
-Subject: [PATCH 10/10] selinux: drop SECURITY_SELINUX_POLICYDB_VERSION_MAX
-
-Remove the SECURITY_SELINUX_POLICYDB_VERSION_MAX Kconfig option
-
-Per: https://github.com/SELinuxProject/selinux/wiki/Kernel-Todo
-
-This was only needed on Fedora 3 and 4 and just causes issues now,
-so drop it.
-
-The MAX and MIN should just be whatever the kernel can support.
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
-Signed-off-by: Paul Moore <paul@paul-moore.com>
----
- security/selinux/Kconfig            | 38 -------------------------------------
- security/selinux/include/security.h |  4 ----
- 2 files changed, 42 deletions(-)
-
-diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
-index 8691e92..ea7e3ef 100644
---- a/security/selinux/Kconfig
-+++ b/security/selinux/Kconfig
-@@ -93,41 +93,3 @@ config SECURITY_SELINUX_CHECKREQPROT_VALUE
- 	  via /selinux/checkreqprot if authorized by policy.
-
- 	  If you are unsure how to answer this question, answer 0.
--
--config SECURITY_SELINUX_POLICYDB_VERSION_MAX
--	bool "NSA SELinux maximum supported policy format version"
--	depends on SECURITY_SELINUX
--	default n
--	help
--	  This option enables the maximum policy format version supported
--	  by SELinux to be set to a particular value.  This value is reported
--	  to userspace via /selinux/policyvers and used at policy load time.
--	  It can be adjusted downward to support legacy userland (init) that
--	  does not correctly handle kernels that support newer policy versions.
--
--	  Examples:
--	  For the Fedora Core 3 or 4 Linux distributions, enable this option
--	  and set the value via the next option. For Fedora Core 5 and later,
--	  do not enable this option.
--
--	  If you are unsure how to answer this question, answer N.
--
--config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
--	int "NSA SELinux maximum supported policy format version value"
--	depends on SECURITY_SELINUX_POLICYDB_VERSION_MAX
--	range 15 23
--	default 19
--	help
--	  This option sets the value for the maximum policy format version
--	  supported by SELinux.
--
--	  Examples:
--	  For Fedora Core 3, use 18.
--	  For Fedora Core 4, use 19.
--
--	  If you are unsure how to answer this question, look for the
--	  policy format version supported by your policy toolchain, by
--	  running 'checkpolicy -V'. Or look at what policy you have
--	  installed under /etc/selinux/$SELINUXTYPE/policy, where
--	  SELINUXTYPE is defined in your /etc/selinux/config.
--
-diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
-index 38feb55..308a286 100644
---- a/security/selinux/include/security.h
-+++ b/security/selinux/include/security.h
-@@ -39,11 +39,7 @@
-
- /* Range of policy versions we understand*/
- #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
--#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
--#define POLICYDB_VERSION_MAX	CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
--#else
- #define POLICYDB_VERSION_MAX	POLICYDB_VERSION_XPERMS_IOCTL
--#endif
-
- /* Mask for just the mount related flags */
- #define SE_MNTMASK	0x0f
--- 
-2.7.4
-
diff --git a/sources b/sources
index d1da58fe0..556a70a7d 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,4 @@
 c1af0afbd3df35c1ccdc7a5118cd2d07  linux-4.8.tar.xz
 0dad03f586e835d538d3e0d2cbdb9a28  perf-man-4.8.tar.gz
 16c84040a62d0127bc02b8cad49910fd  patch-4.8-git1.xz
+7d9925bfab67c065fbfa4df91cf9a4b4  patch-4.8-git2.xz