summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThorsten Leemhuis <fedora@leemhuis.info>2021-06-10 13:44:21 +0200
committerThorsten Leemhuis <fedora@leemhuis.info>2021-06-10 13:44:21 +0200
commit7ef433a9b1dc06b245e31174bd06d39c59001476 (patch)
tree9fb15a0e0da611a6eceea43794e02a6781fa9e48
parent1e1a9bf91756b960f128e9374472a2b304228c1a (diff)
parent232bd7472643da245ebe5704f763ea7f96343cfc (diff)
downloadkernel-7ef433a9b1dc06b245e31174bd06d39c59001476.tar.gz
kernel-7ef433a9b1dc06b245e31174bd06d39c59001476.tar.xz
kernel-7ef433a9b1dc06b245e31174bd06d39c59001476.zip
Merge remote-tracking branch 'origin/f34' into f34-user-thl-vanilla-fedora
-rw-r--r--Patchlist.changelog3
-rwxr-xr-xkernel.spec3
-rw-r--r--patch-5.12-redhat.patch109
-rw-r--r--sources6
4 files changed, 26 insertions, 95 deletions
diff --git a/Patchlist.changelog b/Patchlist.changelog
index 3c544c0ff..c27ff643c 100644
--- a/Patchlist.changelog
+++ b/Patchlist.changelog
@@ -1,3 +1,6 @@
+https://gitlab.com/cki-project/kernel-ark/-/commit/26fb1eba374faf7704bab5126612ae87b9f9f9fa
+ 26fb1eba374faf7704bab5126612ae87b9f9f9fa selinux: Allow context mounts for unpriviliged overlayfs
+
https://gitlab.com/cki-project/kernel-ark/-/commit/b8c43c4d0bdf8d9f4210e9f3263771c9f76d12bc
b8c43c4d0bdf8d9f4210e9f3263771c9f76d12bc Fix up merge issue resulting in dual entries for ALC295_FIXUP_ASUS_DACS
diff --git a/kernel.spec b/kernel.spec
index f34b126d9..8df06c220 100755
--- a/kernel.spec
+++ b/kernel.spec
@@ -2797,6 +2797,9 @@ fi
#
#
%changelog
+* Thu Jun 03 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.9-0]
+- selinux: Allow context mounts for unpriviliged overlayfs (Vivek Goyal)
+
* Wed May 26 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.7-0]
- Fix up merge issue resulting in dual entries for ALC295_FIXUP_ASUS_DACS (Justin M. Forbes)
- powerpc/64s/syscall: Fix ptrace syscall info with scv syscalls (Nicholas Piggin)
diff --git a/patch-5.12-redhat.patch b/patch-5.12-redhat.patch
index 0b95ed537..a082bca72 100644
--- a/patch-5.12-redhat.patch
+++ b/patch-5.12-redhat.patch
@@ -35,12 +35,12 @@
include/linux/security.h | 5 +
kernel/crash_core.c | 28 ++++-
kernel/module_signing.c | 9 +-
- net/can/isotp.c | 49 +++++---
security/integrity/platform_certs/load_uefi.c | 6 +-
security/lockdown/Kconfig | 13 +++
security/lockdown/lockdown.c | 1 +
security/security.c | 6 +
- 42 files changed, 652 insertions(+), 193 deletions(-)
+ security/selinux/hooks.c | 3 +-
+ 42 files changed, 621 insertions(+), 178 deletions(-)
diff --git a/Documentation/admin-guide/kdump/kdump.rst b/Documentation/admin-guide/kdump/kdump.rst
index 75a9dd98e76e..3ff3291551f9 100644
@@ -65,7 +65,7 @@ index 75a9dd98e76e..3ff3291551f9 100644
Boot into System Kernel
diff --git a/Makefile b/Makefile
-index a20afcb7d2bf..a19908237e8a 100644
+index d53577db1085..a34665269a9a 100644
--- a/Makefile
+++ b/Makefile
@@ -495,6 +495,7 @@ KBUILD_AFLAGS := -D__ASSEMBLY__ -fno-PIE
@@ -1468,95 +1468,6 @@ index 8723ae70ea1f..fb2d773498c2 100644
+ }
+ return ret;
}
-diff --git a/net/can/isotp.c b/net/can/isotp.c
-index 9f94ad3caee9..253b24417c8e 100644
---- a/net/can/isotp.c
-+++ b/net/can/isotp.c
-@@ -1062,27 +1062,31 @@ static int isotp_bind(struct socket *sock, struct sockaddr *uaddr, int len)
- if (len < ISOTP_MIN_NAMELEN)
- return -EINVAL;
-
-+ if (addr->can_addr.tp.tx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG))
-+ return -EADDRNOTAVAIL;
-+
-+ if (!addr->can_ifindex)
-+ return -ENODEV;
-+
-+ lock_sock(sk);
-+
- /* do not register frame reception for functional addressing */
- if (so->opt.flags & CAN_ISOTP_SF_BROADCAST)
- do_rx_reg = 0;
-
- /* do not validate rx address for functional addressing */
- if (do_rx_reg) {
-- if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id)
-- return -EADDRNOTAVAIL;
-+ if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id) {
-+ err = -EADDRNOTAVAIL;
-+ goto out;
-+ }
-
-- if (addr->can_addr.tp.rx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG))
-- return -EADDRNOTAVAIL;
-+ if (addr->can_addr.tp.rx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) {
-+ err = -EADDRNOTAVAIL;
-+ goto out;
-+ }
- }
-
-- if (addr->can_addr.tp.tx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG))
-- return -EADDRNOTAVAIL;
--
-- if (!addr->can_ifindex)
-- return -ENODEV;
--
-- lock_sock(sk);
--
- if (so->bound && addr->can_ifindex == so->ifindex &&
- addr->can_addr.tp.rx_id == so->rxid &&
- addr->can_addr.tp.tx_id == so->txid)
-@@ -1164,16 +1168,13 @@ static int isotp_getname(struct socket *sock, struct sockaddr *uaddr, int peer)
- return ISOTP_MIN_NAMELEN;
- }
-
--static int isotp_setsockopt(struct socket *sock, int level, int optname,
-+static int isotp_setsockopt_locked(struct socket *sock, int level, int optname,
- sockptr_t optval, unsigned int optlen)
- {
- struct sock *sk = sock->sk;
- struct isotp_sock *so = isotp_sk(sk);
- int ret = 0;
-
-- if (level != SOL_CAN_ISOTP)
-- return -EINVAL;
--
- if (so->bound)
- return -EISCONN;
-
-@@ -1248,6 +1249,22 @@ static int isotp_setsockopt(struct socket *sock, int level, int optname,
- return ret;
- }
-
-+static int isotp_setsockopt(struct socket *sock, int level, int optname,
-+ sockptr_t optval, unsigned int optlen)
-+
-+{
-+ struct sock *sk = sock->sk;
-+ int ret;
-+
-+ if (level != SOL_CAN_ISOTP)
-+ return -EINVAL;
-+
-+ lock_sock(sk);
-+ ret = isotp_setsockopt_locked(sock, level, optname, optval, optlen);
-+ release_sock(sk);
-+ return ret;
-+}
-+
- static int isotp_getsockopt(struct socket *sock, int level, int optname,
- char __user *optval, int __user *optlen)
- {
diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index ee4b4c666854..eff9ff593405 100644
--- a/security/integrity/platform_certs/load_uefi.c
@@ -1634,3 +1545,17 @@ index 5ac96b16f8fa..fc47d6de57ee 100644
#ifdef CONFIG_PERF_EVENTS
int security_perf_event_open(struct perf_event_attr *attr, int type)
{
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index ddd097790d47..eca9fc0ba764 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -760,7 +760,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
+ if (sb->s_user_ns != &init_user_ns &&
+ strcmp(sb->s_type->name, "tmpfs") &&
+ strcmp(sb->s_type->name, "ramfs") &&
+- strcmp(sb->s_type->name, "devpts")) {
++ strcmp(sb->s_type->name, "devpts") &&
++ strcmp(sb->s_type->name, "overlay")) {
+ if (context_sid || fscontext_sid || rootcontext_sid ||
+ defcontext_sid) {
+ rc = -EACCES;
diff --git a/sources b/sources
index db1653750..eda3e71f1 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-5.12.8.tar.xz) = 4af33ce63a4ce89205808bad9e84b72197ed9976d10fa8287d5690f2524cc51e542814399de08944dcb2cc2b8c708f449ed3888e10f98704d551d6ecd2236797
-SHA512 (kernel-abi-whitelists-5.12.8-300.tar.bz2) = 1520b4b8bf7f408de03ef72a9071f77fd49e86c837fa58085013c735d774f188d58310ded467bcd3b24504d0383f5ed53aa90dd69f2415bbd2237bc200021c50
-SHA512 (kernel-kabi-dw-5.12.8-300.tar.bz2) = 59c9fab14bc3126224cc133ebfaac627ce849d4a8713b1c618dc6cdbcc8a8ebd2c28b2d6959fda340ae9630c91bd8a107c11ac0b02da887fda0b4cf52a3397e9
+SHA512 (linux-5.12.9.tar.xz) = 1c5e212aa17115c60cc73cd2f5736cfddd5f8d70f4196e261e3bf8ec30deeb22a0b8d6c22148333b14f74b81ee29307e7ed5a090d78abf8492e7bcf62bd75327
+SHA512 (kernel-abi-whitelists-5.12.9-300.tar.bz2) = 78a7f8b2007c22e986d699fabe87cbce9655f63e8cb189963eec943b309133a9005115b195018dcb4815ffeae5aef3ae20f20659493e47960168e47a288ff7f6
+SHA512 (kernel-kabi-dw-5.12.9-300.tar.bz2) = 0bddc7298acd32944bdb20fbef0015b4c5559b8054779ec8d04b2fdf3747e1975755e4716dc2536f1de931aa1d4e05447d4a15ec20c3db58500af8aaaeeece65