From f513b403b05ef868f3e0aa14a4c5e57b6b85661c Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 19 Jul 2021 22:41:03 -0500 Subject: kernel-5.13.3-200 * Mon Jul 19 2021 Justin M. Forbes [5.13.3-200] - kernel-5.13.3-0 (Justin M. Forbes) - Don't tag a release as [redhat] (Justin M. Forbes) - platform/x86: amd-pmc: Fix missing unlock on error in amd_pmc_send_cmd() (Yang Yingliang) Resolves: rhbz# Signed-off-by: Justin M. Forbes --- mod-denylist.sh | 164 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 164 insertions(+) create mode 100755 mod-denylist.sh (limited to 'mod-denylist.sh') diff --git a/mod-denylist.sh b/mod-denylist.sh new file mode 100755 index 000000000..6127d145f --- /dev/null +++ b/mod-denylist.sh @@ -0,0 +1,164 @@ +#! /bin/bash +# shellcheck disable=SC2164 + +RpmDir=$1 +ModDir=$2 +Dir="$1/$2" +# Note the list filename must have the format mod-[PACKAGE].list, for example, +# mod-internal.list or mod-extra.list. The PACKAGE is used to create a +# override directory for the modules. +List=$3 +Dest="$4" + +blacklist() +{ + cat > "$RpmDir/etc/modprobe.d/$1-blacklist.conf" <<-__EOF__ + # This kernel module can be automatically loaded by non-root users. To + # enhance system security, the module is blacklisted by default to ensure + # system administrators make the module available for use as needed. + # See https://access.redhat.com/articles/3760101 for more details. + # + # Remove the blacklist by adding a comment # at the start of the line. + blacklist $1 +__EOF__ +} + +check_blacklist() +{ + mod=$(find "$RpmDir/$ModDir" -name "$1") + [ ! "$mod" ] && return 0 + if modinfo "$mod" | grep -q '^alias:\s\+net-'; then + mod="${1##*/}" + mod="${mod%.ko*}" + echo "$mod has an alias that allows auto-loading. Blacklisting." + blacklist "$mod" + fi +} + +find_depends() +{ + dep=$1 + depends=$(modinfo "$dep" | sed -n -e "/^depends/ s/^depends:[ \t]*//p") + [ -z "$depends" ] && exit + for mod in ${depends//,/ } + do + match=$(grep "^$mod.ko" "$ListName") + [ -z "$match" ] && continue + # check if the module we are looking at is in mod-* too. + # if so we do not need to mark the dep as required. + mod2=${dep##*/} # same as $(basename $dep), but faster + match2=$(grep "^$mod2" "$ListName") + if [ -n "$match2" ] + then + #echo $mod2 >> notreq.list + continue + fi + echo "$mod".ko >> req.list + done +} + +foreachp() +{ + P=$(nproc) + bgcount=0 + while read -r mod; do + $1 "$mod" & + + bgcount=$((bgcount + 1)) + if [ $bgcount -eq "$P" ]; then + wait -n + bgcount=$((bgcount - 1)) + fi + done + + wait +} + +# Destination was specified on the command line +test -n "$4" && echo "$0: Override Destination $Dest has been specified." + +pushd "$Dir" + +OverrideDir=$(basename "$List") +OverrideDir=${OverrideDir%.*} +OverrideDir=${OverrideDir#*-} +mkdir -p "$OverrideDir" + +rm -rf modnames +find . -name "*.ko" -type f > modnames +# Look through all of the modules, and throw any that have a dependency in +# our list into the list as well. +rm -rf dep.list dep2.list +rm -rf req.list req2.list +touch dep.list req.list +cp "$List" . + +# This variable needs to be exported because it is used in sub-script +# executed by xargs +ListName=$(basename "$List") +export ListName + +foreachp find_depends < modnames + +sort -u req.list > req2.list +sort -u "$ListName" > modules2.list +join -v 1 modules2.list req2.list > modules3.list + +while IFS= read -r mod +do + # get the path for the module + modpath=$(grep /"$mod" modnames) + [ -z "$modpath" ] && continue + echo "$modpath" >> dep.list +done < modules3.list + +sort -u dep.list > dep2.list + +if [ -n "$Dest" ]; then + # now move the modules into the $Dest directory + while IFS= read -r mod + do + newpath=$(dirname "$mod" | sed -e "s/kernel\\//$Dest\//") + mkdir -p "$newpath" + mv "$mod" "$newpath" + echo "$mod" | sed -e "s/kernel\\//$Dest\//" | sed -e "s|^.|${ModDir}|g" >> "$RpmDir"/"$ListName" + done < dep2.list +fi + +popd + +# If we're signing modules, we can't leave the .mod files for the .ko files +# we've moved in .tmp_versions/. Remove them so the Kbuild 'modules_sign' +# target doesn't try to sign a non-existent file. This is kinda ugly, but +# so are the modules-* packages. + +while IFS= read -r mod +do + modfile=$(basename "$mod" | sed -e 's/.ko/.mod/') + rm .tmp_versions/"$modfile" +done < "$Dir"/dep2.list + +if [ -z "$Dest" ]; then + sed -e "s|^.|${ModDir}|g" "$Dir"/dep2.list > "$RpmDir/$ListName" + echo "./$RpmDir/$ListName created." + [ -d "$RpmDir/etc/modprobe.d/" ] || mkdir -p "$RpmDir/etc/modprobe.d/" + foreachp check_blacklist < "$List" +fi + +# Many BIOS-es export a PNP-id which causes the floppy driver to autoload +# even though most modern systems don't have a 3.5" floppy driver anymore +# this replaces the old die_floppy_die.patch which removed the PNP-id from +# the module + +floppylist=("$RpmDir"/"$ModDir"/kernel/drivers/block/floppy.ko*) +if [[ -n ${floppylist[0]} && -f ${floppylist[0]} ]]; then + blacklist "floppy" +fi + +# avoid an empty kernel-extra package +echo "$ModDir/$OverrideDir" >> "$RpmDir/$ListName" + +pushd "$Dir" +rm modnames dep.list dep2.list req.list req2.list +rm "$ListName" modules2.list modules3.list +popd -- cgit