From 232bd7472643da245ebe5704f763ea7f96343cfc Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Thu, 3 Jun 2021 08:29:35 -0500 Subject: kernel-5.12.9-0 * Thu Jun 03 2021 Justin M. Forbes [5.12.9-0] - selinux: Allow context mounts for unpriviliged overlayfs (Vivek Goyal) Resolves: rhbz# Signed-off-by: Justin M. Forbes --- Patchlist.changelog | 3 ++ kernel.spec | 11 +++-- patch-5.12-redhat.patch | 109 ++++++++---------------------------------------- sources | 6 +-- 4 files changed, 30 insertions(+), 99 deletions(-) diff --git a/Patchlist.changelog b/Patchlist.changelog index 3c544c0ff..c27ff643c 100644 --- a/Patchlist.changelog +++ b/Patchlist.changelog @@ -1,3 +1,6 @@ +https://gitlab.com/cki-project/kernel-ark/-/commit/26fb1eba374faf7704bab5126612ae87b9f9f9fa + 26fb1eba374faf7704bab5126612ae87b9f9f9fa selinux: Allow context mounts for unpriviliged overlayfs + https://gitlab.com/cki-project/kernel-ark/-/commit/b8c43c4d0bdf8d9f4210e9f3263771c9f76d12bc b8c43c4d0bdf8d9f4210e9f3263771c9f76d12bc Fix up merge issue resulting in dual entries for ALC295_FIXUP_ASUS_DACS diff --git a/kernel.spec b/kernel.spec index 0e2c5839f..8c9d23c35 100755 --- a/kernel.spec +++ b/kernel.spec @@ -106,7 +106,7 @@ Summary: The Linux kernel %define primary_target rhel %endif -%define rpmversion 5.12.8 +%define rpmversion 5.12.9 %define stableversion 5.12 %define pkgrelease 300 @@ -623,7 +623,7 @@ BuildRequires: clang # exact git commit you can run # # xzcat -qq ${TARBALL} | git get-tar-commit-id -Source0: linux-5.12.8.tar.xz +Source0: linux-5.12.9.tar.xz Source1: Makefile.rhelver @@ -1277,8 +1277,8 @@ ApplyOptionalPatch() fi } -%setup -q -n kernel-5.12.8 -c -mv linux-5.12.8 linux-%{KVERREL} +%setup -q -n kernel-5.12.9 -c +mv linux-5.12.9 linux-%{KVERREL} cd linux-%{KVERREL} cp -a %{SOURCE1} . @@ -2792,6 +2792,9 @@ fi # # %changelog +* Thu Jun 03 2021 Justin M. Forbes [5.12.9-0] +- selinux: Allow context mounts for unpriviliged overlayfs (Vivek Goyal) + * Wed May 26 2021 Justin M. Forbes [5.12.7-0] - Fix up merge issue resulting in dual entries for ALC295_FIXUP_ASUS_DACS (Justin M. Forbes) - powerpc/64s/syscall: Fix ptrace syscall info with scv syscalls (Nicholas Piggin) diff --git a/patch-5.12-redhat.patch b/patch-5.12-redhat.patch index 0b95ed537..a082bca72 100644 --- a/patch-5.12-redhat.patch +++ b/patch-5.12-redhat.patch @@ -35,12 +35,12 @@ include/linux/security.h | 5 + kernel/crash_core.c | 28 ++++- kernel/module_signing.c | 9 +- - net/can/isotp.c | 49 +++++--- security/integrity/platform_certs/load_uefi.c | 6 +- security/lockdown/Kconfig | 13 +++ security/lockdown/lockdown.c | 1 + security/security.c | 6 + - 42 files changed, 652 insertions(+), 193 deletions(-) + security/selinux/hooks.c | 3 +- + 42 files changed, 621 insertions(+), 178 deletions(-) diff --git a/Documentation/admin-guide/kdump/kdump.rst b/Documentation/admin-guide/kdump/kdump.rst index 75a9dd98e76e..3ff3291551f9 100644 @@ -65,7 +65,7 @@ index 75a9dd98e76e..3ff3291551f9 100644 Boot into System Kernel diff --git a/Makefile b/Makefile -index a20afcb7d2bf..a19908237e8a 100644 +index d53577db1085..a34665269a9a 100644 --- a/Makefile +++ b/Makefile @@ -495,6 +495,7 @@ KBUILD_AFLAGS := -D__ASSEMBLY__ -fno-PIE @@ -1468,95 +1468,6 @@ index 8723ae70ea1f..fb2d773498c2 100644 + } + return ret; } -diff --git a/net/can/isotp.c b/net/can/isotp.c -index 9f94ad3caee9..253b24417c8e 100644 ---- a/net/can/isotp.c -+++ b/net/can/isotp.c -@@ -1062,27 +1062,31 @@ static int isotp_bind(struct socket *sock, struct sockaddr *uaddr, int len) - if (len < ISOTP_MIN_NAMELEN) - return -EINVAL; - -+ if (addr->can_addr.tp.tx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) -+ return -EADDRNOTAVAIL; -+ -+ if (!addr->can_ifindex) -+ return -ENODEV; -+ -+ lock_sock(sk); -+ - /* do not register frame reception for functional addressing */ - if (so->opt.flags & CAN_ISOTP_SF_BROADCAST) - do_rx_reg = 0; - - /* do not validate rx address for functional addressing */ - if (do_rx_reg) { -- if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id) -- return -EADDRNOTAVAIL; -+ if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id) { -+ err = -EADDRNOTAVAIL; -+ goto out; -+ } - -- if (addr->can_addr.tp.rx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) -- return -EADDRNOTAVAIL; -+ if (addr->can_addr.tp.rx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) { -+ err = -EADDRNOTAVAIL; -+ goto out; -+ } - } - -- if (addr->can_addr.tp.tx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) -- return -EADDRNOTAVAIL; -- -- if (!addr->can_ifindex) -- return -ENODEV; -- -- lock_sock(sk); -- - if (so->bound && addr->can_ifindex == so->ifindex && - addr->can_addr.tp.rx_id == so->rxid && - addr->can_addr.tp.tx_id == so->txid) -@@ -1164,16 +1168,13 @@ static int isotp_getname(struct socket *sock, struct sockaddr *uaddr, int peer) - return ISOTP_MIN_NAMELEN; - } - --static int isotp_setsockopt(struct socket *sock, int level, int optname, -+static int isotp_setsockopt_locked(struct socket *sock, int level, int optname, - sockptr_t optval, unsigned int optlen) - { - struct sock *sk = sock->sk; - struct isotp_sock *so = isotp_sk(sk); - int ret = 0; - -- if (level != SOL_CAN_ISOTP) -- return -EINVAL; -- - if (so->bound) - return -EISCONN; - -@@ -1248,6 +1249,22 @@ static int isotp_setsockopt(struct socket *sock, int level, int optname, - return ret; - } - -+static int isotp_setsockopt(struct socket *sock, int level, int optname, -+ sockptr_t optval, unsigned int optlen) -+ -+{ -+ struct sock *sk = sock->sk; -+ int ret; -+ -+ if (level != SOL_CAN_ISOTP) -+ return -EINVAL; -+ -+ lock_sock(sk); -+ ret = isotp_setsockopt_locked(sock, level, optname, optval, optlen); -+ release_sock(sk); -+ return ret; -+} -+ - static int isotp_getsockopt(struct socket *sock, int level, int optname, - char __user *optval, int __user *optlen) - { diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index ee4b4c666854..eff9ff593405 100644 --- a/security/integrity/platform_certs/load_uefi.c @@ -1634,3 +1545,17 @@ index 5ac96b16f8fa..fc47d6de57ee 100644 #ifdef CONFIG_PERF_EVENTS int security_perf_event_open(struct perf_event_attr *attr, int type) { +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index ddd097790d47..eca9fc0ba764 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -760,7 +760,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, + if (sb->s_user_ns != &init_user_ns && + strcmp(sb->s_type->name, "tmpfs") && + strcmp(sb->s_type->name, "ramfs") && +- strcmp(sb->s_type->name, "devpts")) { ++ strcmp(sb->s_type->name, "devpts") && ++ strcmp(sb->s_type->name, "overlay")) { + if (context_sid || fscontext_sid || rootcontext_sid || + defcontext_sid) { + rc = -EACCES; diff --git a/sources b/sources index db1653750..eda3e71f1 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (linux-5.12.8.tar.xz) = 4af33ce63a4ce89205808bad9e84b72197ed9976d10fa8287d5690f2524cc51e542814399de08944dcb2cc2b8c708f449ed3888e10f98704d551d6ecd2236797 -SHA512 (kernel-abi-whitelists-5.12.8-300.tar.bz2) = 1520b4b8bf7f408de03ef72a9071f77fd49e86c837fa58085013c735d774f188d58310ded467bcd3b24504d0383f5ed53aa90dd69f2415bbd2237bc200021c50 -SHA512 (kernel-kabi-dw-5.12.8-300.tar.bz2) = 59c9fab14bc3126224cc133ebfaac627ce849d4a8713b1c618dc6cdbcc8a8ebd2c28b2d6959fda340ae9630c91bd8a107c11ac0b02da887fda0b4cf52a3397e9 +SHA512 (linux-5.12.9.tar.xz) = 1c5e212aa17115c60cc73cd2f5736cfddd5f8d70f4196e261e3bf8ec30deeb22a0b8d6c22148333b14f74b81ee29307e7ed5a090d78abf8492e7bcf62bd75327 +SHA512 (kernel-abi-whitelists-5.12.9-300.tar.bz2) = 78a7f8b2007c22e986d699fabe87cbce9655f63e8cb189963eec943b309133a9005115b195018dcb4815ffeae5aef3ae20f20659493e47960168e47a288ff7f6 +SHA512 (kernel-kabi-dw-5.12.9-300.tar.bz2) = 0bddc7298acd32944bdb20fbef0015b4c5559b8054779ec8d04b2fdf3747e1975755e4716dc2536f1de931aa1d4e05447d4a15ec20c3db58500af8aaaeeece65 -- cgit