From 074d4eb8467b9fe0ef8df99a0d08c63dedc25a58 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Fri, 25 Jun 2021 07:18:06 -0500 Subject: kernel-5.13.0-0.rc7.20210625git44db63d1ad8d.55 * Fri Jun 25 2021 Fedora Kernel Team [5.13.0-0.rc7.20210625git44db63d1ad8d.55] - redhat/configs: Enable needed drivers for BlueField SoC on aarch64 (Alaa Hleihel) [1858592 1858594 1858596] - redhat: Rename mod-blacklist.sh to mod-denylist.sh (Prarit Bhargava) Resolves: rhbz#1858592, rhbz#1858594, rhbz#1858596 Signed-off-by: Justin M. Forbes --- mod-denylist.sh | 164 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 164 insertions(+) create mode 100755 mod-denylist.sh (limited to 'mod-denylist.sh') diff --git a/mod-denylist.sh b/mod-denylist.sh new file mode 100755 index 000000000..6127d145f --- /dev/null +++ b/mod-denylist.sh @@ -0,0 +1,164 @@ +#! /bin/bash +# shellcheck disable=SC2164 + +RpmDir=$1 +ModDir=$2 +Dir="$1/$2" +# Note the list filename must have the format mod-[PACKAGE].list, for example, +# mod-internal.list or mod-extra.list. The PACKAGE is used to create a +# override directory for the modules. +List=$3 +Dest="$4" + +blacklist() +{ + cat > "$RpmDir/etc/modprobe.d/$1-blacklist.conf" <<-__EOF__ + # This kernel module can be automatically loaded by non-root users. To + # enhance system security, the module is blacklisted by default to ensure + # system administrators make the module available for use as needed. + # See https://access.redhat.com/articles/3760101 for more details. + # + # Remove the blacklist by adding a comment # at the start of the line. + blacklist $1 +__EOF__ +} + +check_blacklist() +{ + mod=$(find "$RpmDir/$ModDir" -name "$1") + [ ! "$mod" ] && return 0 + if modinfo "$mod" | grep -q '^alias:\s\+net-'; then + mod="${1##*/}" + mod="${mod%.ko*}" + echo "$mod has an alias that allows auto-loading. Blacklisting." + blacklist "$mod" + fi +} + +find_depends() +{ + dep=$1 + depends=$(modinfo "$dep" | sed -n -e "/^depends/ s/^depends:[ \t]*//p") + [ -z "$depends" ] && exit + for mod in ${depends//,/ } + do + match=$(grep "^$mod.ko" "$ListName") + [ -z "$match" ] && continue + # check if the module we are looking at is in mod-* too. + # if so we do not need to mark the dep as required. + mod2=${dep##*/} # same as $(basename $dep), but faster + match2=$(grep "^$mod2" "$ListName") + if [ -n "$match2" ] + then + #echo $mod2 >> notreq.list + continue + fi + echo "$mod".ko >> req.list + done +} + +foreachp() +{ + P=$(nproc) + bgcount=0 + while read -r mod; do + $1 "$mod" & + + bgcount=$((bgcount + 1)) + if [ $bgcount -eq "$P" ]; then + wait -n + bgcount=$((bgcount - 1)) + fi + done + + wait +} + +# Destination was specified on the command line +test -n "$4" && echo "$0: Override Destination $Dest has been specified." + +pushd "$Dir" + +OverrideDir=$(basename "$List") +OverrideDir=${OverrideDir%.*} +OverrideDir=${OverrideDir#*-} +mkdir -p "$OverrideDir" + +rm -rf modnames +find . -name "*.ko" -type f > modnames +# Look through all of the modules, and throw any that have a dependency in +# our list into the list as well. +rm -rf dep.list dep2.list +rm -rf req.list req2.list +touch dep.list req.list +cp "$List" . + +# This variable needs to be exported because it is used in sub-script +# executed by xargs +ListName=$(basename "$List") +export ListName + +foreachp find_depends < modnames + +sort -u req.list > req2.list +sort -u "$ListName" > modules2.list +join -v 1 modules2.list req2.list > modules3.list + +while IFS= read -r mod +do + # get the path for the module + modpath=$(grep /"$mod" modnames) + [ -z "$modpath" ] && continue + echo "$modpath" >> dep.list +done < modules3.list + +sort -u dep.list > dep2.list + +if [ -n "$Dest" ]; then + # now move the modules into the $Dest directory + while IFS= read -r mod + do + newpath=$(dirname "$mod" | sed -e "s/kernel\\//$Dest\//") + mkdir -p "$newpath" + mv "$mod" "$newpath" + echo "$mod" | sed -e "s/kernel\\//$Dest\//" | sed -e "s|^.|${ModDir}|g" >> "$RpmDir"/"$ListName" + done < dep2.list +fi + +popd + +# If we're signing modules, we can't leave the .mod files for the .ko files +# we've moved in .tmp_versions/. Remove them so the Kbuild 'modules_sign' +# target doesn't try to sign a non-existent file. This is kinda ugly, but +# so are the modules-* packages. + +while IFS= read -r mod +do + modfile=$(basename "$mod" | sed -e 's/.ko/.mod/') + rm .tmp_versions/"$modfile" +done < "$Dir"/dep2.list + +if [ -z "$Dest" ]; then + sed -e "s|^.|${ModDir}|g" "$Dir"/dep2.list > "$RpmDir/$ListName" + echo "./$RpmDir/$ListName created." + [ -d "$RpmDir/etc/modprobe.d/" ] || mkdir -p "$RpmDir/etc/modprobe.d/" + foreachp check_blacklist < "$List" +fi + +# Many BIOS-es export a PNP-id which causes the floppy driver to autoload +# even though most modern systems don't have a 3.5" floppy driver anymore +# this replaces the old die_floppy_die.patch which removed the PNP-id from +# the module + +floppylist=("$RpmDir"/"$ModDir"/kernel/drivers/block/floppy.ko*) +if [[ -n ${floppylist[0]} && -f ${floppylist[0]} ]]; then + blacklist "floppy" +fi + +# avoid an empty kernel-extra package +echo "$ModDir/$OverrideDir" >> "$RpmDir/$ListName" + +pushd "$Dir" +rm modnames dep.list dep2.list req.list req2.list +rm "$ListName" modules2.list modules3.list +popd -- cgit From f8ba90246efa42ef660cc2bb884e35875fea42ed Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 6 Jul 2021 10:25:51 -0500 Subject: kernel-5.14.0-0.rc0.20210706git79160a603bdb.11 * Tue Jul 06 2021 Justin M. Forbes [5.14.0-0.rc0.20210706git79160a603bdb.11] - common: enable STRICT_MODULE_RWX everywhere (Peter Robinson) Resolves: rhbz# Signed-off-by: Justin M. Forbes --- mod-denylist.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'mod-denylist.sh') diff --git a/mod-denylist.sh b/mod-denylist.sh index 6127d145f..47eb1a7b4 100755 --- a/mod-denylist.sh +++ b/mod-denylist.sh @@ -10,28 +10,28 @@ Dir="$1/$2" List=$3 Dest="$4" -blacklist() +denylist() { - cat > "$RpmDir/etc/modprobe.d/$1-blacklist.conf" <<-__EOF__ + cat > "$RpmDir/etc/modprobe.d/$1-denylist.conf" <<-__EOF__ # This kernel module can be automatically loaded by non-root users. To - # enhance system security, the module is blacklisted by default to ensure + # enhance system security, the module is denylisted by default to ensure # system administrators make the module available for use as needed. # See https://access.redhat.com/articles/3760101 for more details. # - # Remove the blacklist by adding a comment # at the start of the line. + # Remove the denylist by adding a comment # at the start of the line. blacklist $1 __EOF__ } -check_blacklist() +check_denylist() { mod=$(find "$RpmDir/$ModDir" -name "$1") [ ! "$mod" ] && return 0 if modinfo "$mod" | grep -q '^alias:\s\+net-'; then mod="${1##*/}" mod="${mod%.ko*}" - echo "$mod has an alias that allows auto-loading. Blacklisting." - blacklist "$mod" + echo "Blocking $mod from auto-loading." + denylist "$mod" fi } @@ -142,7 +142,7 @@ if [ -z "$Dest" ]; then sed -e "s|^.|${ModDir}|g" "$Dir"/dep2.list > "$RpmDir/$ListName" echo "./$RpmDir/$ListName created." [ -d "$RpmDir/etc/modprobe.d/" ] || mkdir -p "$RpmDir/etc/modprobe.d/" - foreachp check_blacklist < "$List" + foreachp check_denylist < "$List" fi # Many BIOS-es export a PNP-id which causes the floppy driver to autoload @@ -152,7 +152,7 @@ fi floppylist=("$RpmDir"/"$ModDir"/kernel/drivers/block/floppy.ko*) if [[ -n ${floppylist[0]} && -f ${floppylist[0]} ]]; then - blacklist "floppy" + denylist "floppy" fi # avoid an empty kernel-extra package -- cgit From 8bce7ff2cad10bdc2007a27acecadb3c607889fe Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 6 Jul 2021 12:22:56 -0500 Subject: Back out mod-denylist.sh changes until dracut is ready Signed-off-by: Justin M. Forbes --- mod-denylist.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'mod-denylist.sh') diff --git a/mod-denylist.sh b/mod-denylist.sh index 47eb1a7b4..6127d145f 100755 --- a/mod-denylist.sh +++ b/mod-denylist.sh @@ -10,28 +10,28 @@ Dir="$1/$2" List=$3 Dest="$4" -denylist() +blacklist() { - cat > "$RpmDir/etc/modprobe.d/$1-denylist.conf" <<-__EOF__ + cat > "$RpmDir/etc/modprobe.d/$1-blacklist.conf" <<-__EOF__ # This kernel module can be automatically loaded by non-root users. To - # enhance system security, the module is denylisted by default to ensure + # enhance system security, the module is blacklisted by default to ensure # system administrators make the module available for use as needed. # See https://access.redhat.com/articles/3760101 for more details. # - # Remove the denylist by adding a comment # at the start of the line. + # Remove the blacklist by adding a comment # at the start of the line. blacklist $1 __EOF__ } -check_denylist() +check_blacklist() { mod=$(find "$RpmDir/$ModDir" -name "$1") [ ! "$mod" ] && return 0 if modinfo "$mod" | grep -q '^alias:\s\+net-'; then mod="${1##*/}" mod="${mod%.ko*}" - echo "Blocking $mod from auto-loading." - denylist "$mod" + echo "$mod has an alias that allows auto-loading. Blacklisting." + blacklist "$mod" fi } @@ -142,7 +142,7 @@ if [ -z "$Dest" ]; then sed -e "s|^.|${ModDir}|g" "$Dir"/dep2.list > "$RpmDir/$ListName" echo "./$RpmDir/$ListName created." [ -d "$RpmDir/etc/modprobe.d/" ] || mkdir -p "$RpmDir/etc/modprobe.d/" - foreachp check_denylist < "$List" + foreachp check_blacklist < "$List" fi # Many BIOS-es export a PNP-id which causes the floppy driver to autoload @@ -152,7 +152,7 @@ fi floppylist=("$RpmDir"/"$ModDir"/kernel/drivers/block/floppy.ko*) if [[ -n ${floppylist[0]} && -f ${floppylist[0]} ]]; then - denylist "floppy" + blacklist "floppy" fi # avoid an empty kernel-extra package -- cgit