Djam/kernel-5.15
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/kernel-5.15.git synced 2025-02-23 10:32:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update from 5.4 to 5.10.1

Browse source 
- rediffed most of patches, renamed files to easify further rediffs by git format-patch
- thanks to abf.io/kernels_stable for some patches for kernel 5.9
- using unofficial patch for AUFS for kernel 5.10, there may be issues with stability, try to avoid using AUFS (I would have dropped it, but MagOS wants it very much)
- pulled updates of AltHa from http://git.altlinux.org/gears/k/kernel-image-un-def.git?p=kernel-image-un-def.git;a=history;f=security/altha;hb=HEAD
- dropped patch adding sysctl to disable disk-based swap because it has not found any usage
- bpf is now in the list of LSM modules (ability to write LSM modules as BPF programs), enable it, it is potentially useful and does not seem to be harmful
- keeping kernel libc headers in older kernels for now
- dropped building external virtualbox guest modules because they are now included into the mainline kernel
- offed building VirtualBox host modules, I do not know how to keep these binary modules in sync with userspace part of VirtualBox, users can continue using dkms
- offed building kernel-shredder because it is not buildable on kernel 5.10
- updated rtl8821ce and added a dependency from its "blacklist" subpackage here (see https://github.com/tomaspinho/rtl8821ce/commit/14b536f0)

It is not clear if kernel 5.10 will receive an LTS support longer than 5.4 or not. Support until Dec, 2022 is declared right now at https://www.kernel.org/category/releases.html for 5.10 and until Dec, 2025 - for 5.4.

TODO: update kernel configs
TODO: solve problems with version of virtualbox host modules not matching version of the virtualbox package after virtualbox is updated but kernel is not rebuilt
This commit is contained in:
Mikhail Novosyolov 2020-12-20 18:49:24 +03:00
parent cdf9863011
commit 5488a28d4b
14 changed files with 1329 additions and 660 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.abf.yml
View file

@ -1,6 +1,6 @@
sources:
linux-5.4.tar.xz: 98ae49ad49397d5a4dcb3ff9a082223edf7c5bbd
patch-5.4.83.xz: fd46a3194568fde38ce5deb974b522c835beed22
linux-5.10.tar.xz: be0b909f1fbb760cc2d5cf146e1da3b2af0cf899
patch-5.10.1.xz: bd49d5869b7b8654f0492622893e1b5b56ca245e
public_key_GOST_1.pem: b4fb6bf1cf73824944931a8f0c2cb7bf427e0774
public_key_GOST_2.pem: cba209bd331f29031c5d945949b230a8d7a4dc12
public_key_GOST_3.pem: e5a223dd7c556d4d0cac326f5ed9fc12dd769afb

32
0001-AltHa-LSM-module.patch
View file

@ -1,4 +1,4 @@
From f690c6792f5ca5737627ebf800086d7408f17456 Mon Sep 17 00:00:00 2001
From e9343095462964e78faadde92bab44a6a13cd4da Mon Sep 17 00:00:00 2001
From: Kernel Bot <kernelbot@altlinux.org>
Date: Wed, 21 Aug 2019 16:11:26 +0300
Subject: [PATCH 1/2] AltHa LSM module
@ -15,7 +15,7 @@ Changelog:
* lists handling rewritten
* indentation fixed
Rediffed for vanilla kernel 5.4.25
Rediffed for vanilla kernel 5.10.1
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
---
security/Kconfig | 3 +-
@ -29,7 +29,7 @@ Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
create mode 100644 security/altha/altha_lsm.c
diff --git a/security/Kconfig b/security/Kconfig
index 2a1a2d396228..d21a120b66d4 100644
index 7561f6f99f1d..b7551d9001e6 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -238,6 +238,7 @@ source "security/loadpin/Kconfig"
@ -41,34 +41,34 @@ index 2a1a2d396228..d21a120b66d4 100644
source "security/integrity/Kconfig"
@@ -281,7 +282,7 @@ config LSM
default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR
default "lockdown,yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO
default "lockdown,yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC
- default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
+ default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,altha"
default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
default "lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
- default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
+ default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf,altha"
help
A comma-separated list of LSMs, in initialization order.
Any LSMs left off this list will be ignored. This can be
diff --git a/security/Makefile b/security/Makefile
index be1dd9d2cb2f..7c9628c2017e 100644
index 3baf435de541..9cc6f5b1b099 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -12,6 +12,7 @@ subdir-$(CONFIG_SECURITY_YAMA) += yama
subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
@@ -13,6 +13,7 @@ subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid
subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown
subdir-$(CONFIG_BPF_LSM) += bpf
+subdir-$(CONFIG_SECURITY_ALTHA) += altha
# always enable default capabilities
obj-y += commoncap.o
@@ -29,6 +30,7 @@ obj-$(CONFIG_SECURITY_YAMA) += yama/
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/
@@ -32,6 +33,7 @@ obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/
obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
obj-$(CONFIG_CGROUPS) += device_cgroup.o
obj-$(CONFIG_BPF_LSM) += bpf/
+obj-$(CONFIG_SECURITY_ALTHA) += altha/
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
# Object integrity file lists
subdir-$(CONFIG_INTEGRITY) += integrity
diff --git a/security/altha/Kconfig b/security/altha/Kconfig
new file mode 100644
index 000000000000..4bafdef4e58e
@ -427,5 +427,5 @@ index 000000000000..7d1cc8f8a1a7
+};
+
--
2.20.1
2.25.1

553
fs-aufs.patch → 0001-Apply-AUFS-5.patch
View file

File diff suppressed because it is too large Load diff

11
audit-make-it-less-verbose.patch → 0001-audit-make-it-less-verbose.patch
View file

@ -1,7 +1,7 @@
From bd9b98a36fb8afa9d3a3900817b340543215da6d Mon Sep 17 00:00:00 2001
From edce12c92c0d1e02a6f41344290ee7adee745ef4 Mon Sep 17 00:00:00 2001
From: Evgenii Shatokhin <eugene.shatokhin@rosalab.ru>
Date: Wed, 11 Dec 2019 21:10:42 +0300
Subject: [PATCH 1/4] audit: make it less verbose
Subject: [PATCH] audit: make it less verbose
It seems, if audit itself is not installed and therefore nothing listens
to the messages from the kernel's audit subsystem, the latter spams the
@ -11,15 +11,16 @@ Let us make them debug-level and thus invisible by default.
http://bugs.rosalinux.ru/show_bug.cgi?id=6235
http://bugs.rosalinux.ru/show_bug.cgi?id=6459
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
---
kernel/audit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index da8dc0db5bd3..b1d0cebb78dd 100644
index 68cee3bc8cfe..805633090ea5 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -529,7 +529,7 @@ static void kauditd_printk_skb(struct sk_buff *skb)
@@ -535,7 +535,7 @@ static void kauditd_printk_skb(struct sk_buff *skb)
char *data = nlmsg_data(nlh);
if (nlh->nlmsg_type != AUDIT_EOE && printk_ratelimit())
@ -29,5 +30,5 @@ index da8dc0db5bd3..b1d0cebb78dd 100644
/**
--
2.20.1
2.25.1

78
disable-mrproper-prepare-scripts-configs-in-devel-rpms.patch → 0001-disable-mrproper-prepare-scripts-configs-in-devel-rp.patch
View file

@ -1,19 +1,22 @@
From 48ce0cd16a2ea82bf0146ca82d883d677e1ab574 Mon Sep 17 00:00:00 2001
From 1a821310ed4c0519e7fe534ea0a4ba46e604ee4f Mon Sep 17 00:00:00 2001
From: Evgenii Shatokhin <eshatokhin@virtuozzo.com>
Date: Wed, 11 Dec 2019 21:15:36 +0300
Subject: [PATCH 3/4] disable mrproper prepare scripts configs in devel rpms
Subject: [PATCH] disable mrproper prepare scripts configs in devel rpms
This is for disabling *config, mrproper, prepare, scripts on -devel rpms
Needed, because otherwise the -devel won't build correctly.
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
---
Makefile | 23 ++++++-----------------
Makefile | 22 +++++-----------------
scripts/kconfig/Makefile | 17 -----------------
2 files changed, 6 insertions(+), 34 deletions(-)
2 files changed, 5 insertions(+), 34 deletions(-)
diff --git a/Makefile b/Makefile
index e67f2e95b71d..a30833efd9a2 100644
index 076d4e6b9ccc..75bf27049d60 100644
--- a/Makefile
+++ b/Makefile
@@ -1093,8 +1093,7 @@ include/config/kernel.release: FORCE
@@ -1186,8 +1186,7 @@ include/config/kernel.release: FORCE
# Carefully list dependencies so we do not try to build scripts twice
# in parallel
PHONY += scripts
@ -23,36 +26,35 @@ index e67f2e95b71d..a30833efd9a2 100644
# Things we need to do before we recursively start building the kernel
# or the modules are listed in "prepare".
@@ -1112,7 +1111,7 @@ prepare0: archprepare
@@ -1206,7 +1205,7 @@ prepare0: archprepare
$(Q)$(MAKE) $(build)=.
# All the preparing..
-prepare: prepare0 prepare-objtool
-prepare: prepare0 prepare-objtool prepare-resolve_btfids
+prepare:
# Support for using generic headers in asm-generic
asm-generic := -f $(srctree)/scripts/Makefile.asm-generic obj
@@ -1363,15 +1362,8 @@ CLEAN_DIRS += include/ksym
CLEAN_FILES += modules.builtin.modinfo
@@ -1472,15 +1471,7 @@ CLEAN_FILES += include/ksym vmlinux.symvers \
compile_commands.json
# Directories & files removed with 'make mrproper'
-MRPROPER_DIRS += include/config include/generated \
-MRPROPER_FILES += include/config include/generated \
- arch/$(SRCARCH)/include/generated .tmp_objdiff \
- debian/ snap/ tar-install/
-MRPROPER_FILES += .config .config.old .version \
- debian snap tar-install \
- .config .config.old .version \
- Module.symvers \
- signing_key.pem signing_key.priv signing_key.x509 \
- x509.genkey extra_certificates signing_key.x509.keyid \
- signing_key.x509.signer vmlinux-gdb.py \
- *.spec
+MRPROPER_DIRS += ""
+MRPROPER_FILES += ""
# Directories & files removed with 'make distclean'
DISTCLEAN_DIRS +=
@@ -1394,13 +1386,10 @@ clean: archclean vmlinuxclean
DISTCLEAN_FILES += tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS
@@ -1500,13 +1491,10 @@ clean: archclean vmlinuxclean
# mrproper - Delete all generated files, including .config
#
mrproper: rm-dirs := $(wildcard $(MRPROPER_DIRS))
mrproper: rm-files := $(wildcard $(MRPROPER_FILES))
-mrproper-dirs := $(addprefix _mrproper_,scripts)
@ -63,55 +65,55 @@ index e67f2e95b71d..a30833efd9a2 100644
-mrproper: clean $(mrproper-dirs)
+mrproper: clean
$(call cmd,rmdirs)
$(call cmd,rmfiles)
# distclean
diff --git a/scripts/kconfig/Makefile b/scripts/kconfig/Makefile
index ef2f2336c469..0a8eb06085ba 100644
index e46df0a2d4f9..edceb8d1d213 100644
--- a/scripts/kconfig/Makefile
+++ b/scripts/kconfig/Makefile
@@ -24,19 +24,14 @@ endif
@@ -20,19 +20,14 @@ endif
unexport CONFIG_
xconfig: $(obj)/qconf
- $< $(silent) $(Kconfig)
- $(Q)$< $(silent) $(Kconfig)
gconfig: $(obj)/gconf
- $< $(silent) $(Kconfig)
- $(Q)$< $(silent) $(Kconfig)
menuconfig: $(obj)/mconf
- $< $(silent) $(Kconfig)
- $(Q)$< $(silent) $(Kconfig)
config: $(obj)/conf
- $< $(silent) --oldaskconfig $(Kconfig)
- $(Q)$< $(silent) --oldaskconfig $(Kconfig)
nconfig: $(obj)/nconf
- $< $(silent) $(Kconfig)
- $(Q)$< $(silent) $(Kconfig)
build_menuconfig: $(obj)/mconf
@@ -52,11 +47,9 @@ localyesconfig localmodconfig: $(obj)/conf
cmp -s .tmp.config .config || \
(mv -f .config .config.old.1; \
mv -f .tmp.config .config; \
- $< $(silent) --oldconfig $(Kconfig); \
mv -f .config.old.1 .config.old) \
else \
mv -f .tmp.config .config; \
- $< $(silent) --oldconfig $(Kconfig); \
@@ -48,11 +43,9 @@ localyesconfig localmodconfig: $(obj)/conf
cmp -s .tmp.config .config || \
(mv -f .config .config.old.1; \
mv -f .tmp.config .config; \
- $< $(silent) --oldconfig $(Kconfig); \
mv -f .config.old.1 .config.old) \
else \
mv -f .tmp.config .config; \
- $< $(silent) --oldconfig $(Kconfig); \
fi
$(Q)rm -f .tmp.config
@@ -70,24 +63,14 @@ simple-targets := oldconfig allnoconfig allyesconfig allmodconfig \
@@ -68,24 +61,14 @@ simple-targets := oldconfig allnoconfig allyesconfig allmodconfig \
PHONY += $(simple-targets)
$(simple-targets): $(obj)/conf
- $< $(silent) --$@ $(Kconfig)
- $(Q)$< $(silent) --$@ $(Kconfig)
PHONY += savedefconfig defconfig
savedefconfig: $(obj)/conf
- $< $(silent) --$@=defconfig $(Kconfig)
- $(Q)$< $(silent) --$@=defconfig $(Kconfig)
defconfig: $(obj)/conf
-ifneq ($(wildcard $(srctree)/arch/$(SRCARCH)/configs/$(KBUILD_DEFCONFIG)),)
@ -128,5 +130,5 @@ index ef2f2336c469..0a8eb06085ba 100644
configfiles=$(wildcard $(srctree)/kernel/configs/$@ $(srctree)/arch/$(SRCARCH)/configs/$@)
--
2.20.1
2.25.1

170
0001-mm-add-sysctl-to-disable-disk-based-swap.patch
View file

@ -1,170 +0,0 @@
From 739b745efb929453f41472e111760be6f8be6a3a Mon Sep 17 00:00:00 2001
From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Date: Sat, 1 Aug 2020 12:43:53 +0300
Subject: [PATCH] mm: add sysctl to disable disk-based swap
Sometimes it is needed to disallow using disk-based swaps, for example,
when it is required to ensure that any secret information is not left on disk.
When something is written to disk, it can be restored in most cases
unless being overwritten. When memory data is stored on disk, we cannot be
sure that it will be overwritten and so cannot be sure that secret information
is deleted securely.
CONFIG_INIT_ON_FREE_DEFAULT_ON=y makes the kernel overwrite everything that is
deleted from memory, but it does not ensure that regions of the disk with swap
are overwritten. Currently there is no way to ensure wiping swap on disk.
In such conditions it makes sense to disallow usage of disk-based swap.
This patch adds sysctl vm.disk_based_swap, by default is is 1, which means that
disk-based swap (both swap files and swap partitions) can be used.
If = 0, than only zram swap is allowed, zram is not a disk-based swap
(but note that zram can offload parts of it to disk, CONFIG_ZRAM_WRITEBACK,
it is not controlled by this sysctl).
This patch is based on patches from Chromium OS Linux kernel [1, 2, 3, 4]
Patch [5] is taken as an example of adding a sysctl.
TODO: print a message why swap was blocked.
[1] https://gitlab.freedesktop.org/seanpaul/dpu-staging/commit/0b992f2dbb044896c3584e10bd5b97cf41e2ec6d
[2] https://chromium.googlesource.com/chromiumos/third_party/kernel/+/880b2d77404682761ae2e19297f1183fd434b0ec%5E%21/
[3] https://chromium.googlesource.com/chromiumos/third_party/kernel/+blame/refs/heads/chromeos-5.4/mm/swapfile.c
[4] https://chromium.googlesource.com/chromiumos/third_party/kernel/+blame/refs/heads/chromeos-5.4/kernel/sysctl.c
[5] https://patchwork.kernel.org/patch/10858771/
Author of [2] in Chromium OS kernel:
Co-authored-by: Will Drewry <wad@chromium.org>
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
---
Documentation/admin-guide/sysctl/vm.rst | 8 ++++++++
include/linux/mm.h | 2 ++
init/Kconfig | 11 +++++++++++
kernel/sysctl.c | 9 +++++++++
mm/swapfile.c | 16 ++++++++++++++++
5 files changed, 46 insertions(+)
diff --git a/Documentation/admin-guide/sysctl/vm.rst b/Documentation/admin-guide/sysctl/vm.rst
index 64aeee1009ca..9d60154695f6 100644
--- a/Documentation/admin-guide/sysctl/vm.rst
+++ b/Documentation/admin-guide/sysctl/vm.rst
@@ -35,6 +35,7 @@ Currently, these files are in /proc/sys/vm:
- dirty_ratio
- dirtytime_expire_seconds
- dirty_writeback_centisecs
+- disk_based_swap
- drop_caches
- extfrag_threshold
- hugetlb_shm_group
@@ -209,6 +210,13 @@ out to disk. This tunable expresses the interval between those wakeups, in
Setting this to zero disables periodic writeback altogether.
+disk_based_swap
+===============
+
+Disables (0) or enables (1) usage of disk-based swap, both swap files and
+swap partitions. When disabled, only zram swap can be used, and disk-based
+swap is prohibited then.
+
drop_caches
===========
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 3285dae06c03..f8b9522da07d 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2901,5 +2901,7 @@ static inline int pages_identical(struct page *page1, struct page *page2)
return !memcmp_pages(page1, page2);
}
+extern int sysctl_disk_based_swap;
+
#endif /* __KERNEL__ */
#endif /* _LINUX_MM_H */
diff --git a/init/Kconfig b/init/Kconfig
index 87e4f2ac7c5e..4187799a9d13 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -280,6 +280,17 @@ config SWAP
used to provide more virtual memory than the actual RAM present
in your computer. If unsure say Y.
+config DISK_BASED_SWAP_DEFAULT_ON
+ bool "Allow disk-based swap"
+ depends on SWAP
+ default y
+ help
+ If true, disk-based swap (either a file or a partition) is allowed,
+ otherwise only zram swap is allowed.
+ sysctl vm.disk_based_swap = [ 1 | 0 ]
+ Note that zram writeback feature is not controlled by this sysctl.
+ If unsure say Y.
+
config SYSVIPC
bool "System V IPC"
---help---
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 70665934d53e..5f2e4613e655 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1405,6 +1405,15 @@ static struct ctl_table vm_table[] = {
.proc_handler = dirtytime_interval_handler,
.extra1 = SYSCTL_ZERO,
},
+ {
+ .procname = "disk_based_swap",
+ .data = &sysctl_disk_based_swap,
+ .maxlen = sizeof(sysctl_disk_based_swap),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = SYSCTL_ZERO,
+ .extra2 = SYSCTL_ONE,
+ },
{
.procname = "swappiness",
.data = &vm_swappiness,
diff --git a/mm/swapfile.c b/mm/swapfile.c
index 891a3ef48651..ef79f4d03809 100644
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -2871,12 +2871,26 @@ static struct swap_info_struct *alloc_swap_info(void)
return p;
}
+#ifdef CONFIG_DISK_BASED_SWAP_DEFAULT_ON
+int sysctl_disk_based_swap __read_mostly = 1;
+#else
+int sysctl_disk_based_swap __read_mostly = 0;
+#endif
+
static int claim_swapfile(struct swap_info_struct *p, struct inode *inode)
{
int error;
if (S_ISBLK(inode->i_mode)) {
+ char name[BDEVNAME_SIZE];
p->bdev = bdgrab(I_BDEV(inode));
+ bdevname(p->bdev, name);
+ // If sysctl vm.disk_based_swap = false, prohibit any swaps but zram
+ if (!sysctl_disk_based_swap && strncmp(name, "zram", strlen("zram"))) {
+ bdput(p->bdev);
+ p->bdev = NULL;
+ return -EINVAL;
+ }
error = blkdev_get(p->bdev,
FMODE_READ | FMODE_WRITE | FMODE_EXCL, p);
if (error < 0) {
@@ -2889,6 +2903,8 @@ static int claim_swapfile(struct swap_info_struct *p, struct inode *inode)
return error;
p->flags |= SWP_BLKDEV;
} else if (S_ISREG(inode->i_mode)) {
+ if (!sysctl_disk_based_swap)
+ return -EINVAL;
p->bdev = inode->i_sb->s_bdev;
}
--
2.17.1

15
perf-xmlto-skip-validation.patch → 0001-perf-skip-xmlto-validation.patch
View file

@ -1,18 +1,23 @@
From fca5cb9534cbe7da52c234021aa802542fccceff Mon Sep 17 00:00:00 2001
From 8d376cb0241182ae4859db3aa7f790996054ae75 Mon Sep 17 00:00:00 2001
From: Evgenii Shatokhin <eugene.shatokhin@rosalab.ru>
Date: Wed, 11 Dec 2019 21:12:06 +0300
Subject: [PATCH 2/4] perf: skip xmlto validation
Subject: [PATCH] perf: skip xmlto validation
Perf docs are built after all the kernels. To validate the xml files
generated during that process, xmlto tries to get DTD files from the Net.
If it fails, the whole build fails, which is unfortunate. Let us avoid this.
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
---
tools/perf/Documentation/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/Documentation/Makefile b/tools/perf/Documentation/Makefile
index adc5a7e44b98..317dac191d8c 100644
index 6e54979c2124..ccbc7a68769d 100644
--- a/tools/perf/Documentation/Makefile
+++ b/tools/perf/Documentation/Makefile
@@ -51,7 +51,7 @@ ASCIIDOC=asciidoc
ASCIIDOC_EXTRA = --unsafe -f asciidoc.conf
ASCIIDOC_EXTRA += --unsafe -f asciidoc.conf
ASCIIDOC_HTML = xhtml11
MANPAGE_XSL = manpage-normal.xsl
-XMLTO_EXTRA =
@ -21,5 +26,5 @@ index adc5a7e44b98..317dac191d8c 100644
RM ?= rm -f
DOC_REF = origin/man
--
2.20.1
2.25.1

5
0002-Documentation-for-AltHa-LSM.patch
View file

@ -1,8 +1,9 @@
From b7faaef27bb8ede32f5cf2958fa6d84976806f14 Mon Sep 17 00:00:00 2001
From fe0e9e1b7fc6bc4a8ca0e0473bf88297ca7020a7 Mon Sep 17 00:00:00 2001
From: "Anton V. Boyarshinov" <boyarsh@altlinux.org>
Date: Thu, 17 May 2018 08:30:25 +0000
Subject: [PATCH 2/2] Documentation for AltHa LSM
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
---
Documentation/admin-guide/LSM/AltHa.rst | 43 +++++++++++++++++++++++++
Documentation/admin-guide/LSM/index.rst | 1 +
@ -68,5 +69,5 @@ index a6ba95fbaa9f..20b57e7adadd 100644
SafeSetID
+ AltHa
--
2.20.1
2.25.1

68
0003-security-altha-altha_lsm.c-build-fixed-with-kernel-5.patch Normal file
View file

@ -0,0 +1,68 @@
From d89442861500242809d99c9e178b0ed1dd741b28 Mon Sep 17 00:00:00 2001
From: Kernel Bot <kernelbot@altlinux.org>
Date: Mon, 24 Aug 2020 17:16:53 +0300
Subject: [PATCH 3/4] security/altha/altha_lsm.c: build fixed with kernel 5.8
---
security/altha/altha_lsm.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/security/altha/altha_lsm.c b/security/altha/altha_lsm.c
index 7d1cc8f8a1a7..41f0fc7ac8e5 100644
--- a/security/altha/altha_lsm.c
+++ b/security/altha/altha_lsm.c
@@ -216,6 +216,15 @@ struct altha_readdir_callback {
int found;
};
+int compare_paths(const struct path *path1, const struct path *path2)
+{
+ char a1[PATH_MAX];
+ char a2[PATH_MAX];
+ char* p1, *p2;
+ p1=d_path(path1,a1,PATH_MAX);
+ p2=d_path(path2,a2,PATH_MAX);
+ return strcmp(p1,p2);
+}
int is_olock_dir(struct inode *inode)
{
@@ -233,14 +242,14 @@ int is_olock_dir(struct inode *inode)
}
/* Hooks */
-static int altha_bprm_set_creds(struct linux_binprm *bprm)
+static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct file * fi)
{
struct altha_list_struct *node;
/* when it's not a shebang issued script interpreter */
- if (rstrscript_enabled && !bprm->called_set_creds) {
+ if (rstrscript_enabled && bprm->filename == bprm->interp) {
down_read(&interpreters_sem);
list_for_each_entry(node, &interpreters_list, list) {
- if (path_equal(&bprm->file->f_path, &node->path)) {
+ if (compare_paths(&bprm->file->f_path, &node->path) == 0) {
uid_t cur_uid = from_kuid(bprm->cred->user_ns,
bprm->cred->uid);
pr_notice_ratelimited
@@ -257,7 +266,7 @@ static int altha_bprm_set_creds(struct linux_binprm *bprm)
uid_t cur_uid = from_kuid(bprm->cred->user_ns, bprm->cred->uid);
down_read(&nosuid_exceptions_sem);
list_for_each_entry(node, &nosuid_exceptions_list, list) {
- if (path_equal(&bprm->file->f_path, &node->path)) {
+ if (compare_paths(&bprm->file->f_path, &node->path) == 0) {
pr_notice_ratelimited
("AltHa/NoSUID: %s permitted to setuid from %d\n",
bprm->filename, cur_uid);
@@ -291,7 +300,7 @@ static int altha_inode_unlink(struct inode *inode, struct dentry *dentry)
/* Initialization */
static struct security_hook_list altha_hooks[] = {
- LSM_HOOK_INIT(bprm_set_creds, altha_bprm_set_creds),
+ LSM_HOOK_INIT(bprm_creds_from_file, altha_bprm_creds_from_file),
LSM_HOOK_INIT(inode_unlink, altha_inode_unlink),
};
--
2.25.1

101
0004-altha-use-path-strings-instead-of-path-structs.patch Normal file
View file

@ -0,0 +1,101 @@
From 5765b709411696cd58db43e6e006a36e5a207ee0 Mon Sep 17 00:00:00 2001
From: Kernel Bot <kernelbot@altlinux.org>
Date: Wed, 2 Sep 2020 15:19:59 +0300
Subject: [PATCH 4/4] altha: use path strings instead of path structs
Path strings continueto work even when target file was replaced.
---
security/altha/altha_lsm.c | 30 ++++++++++++++++--------------
1 file changed, 16 insertions(+), 14 deletions(-)
diff --git a/security/altha/altha_lsm.c b/security/altha/altha_lsm.c
index 41f0fc7ac8e5..ccde83ebb26c 100644
--- a/security/altha/altha_lsm.c
+++ b/security/altha/altha_lsm.c
@@ -52,6 +52,8 @@ __setup("altha=", altha_enabled_setup);
struct altha_list_struct {
struct path path;
+ char * spath;
+ char * spath_p;
struct list_head list;
};
@@ -91,6 +93,7 @@ static int altha_list_handler(struct ctl_table *table, int write,
list_for_each_entry_safe(item, tmp, list_struct, list) {
list_del(&item->list);
path_put(&item->path);
+ kfree(item->spath_p);
kfree(item);
}
@@ -106,7 +109,9 @@ static int altha_list_handler(struct ctl_table *table, int write,
while ((p = strsep(&fluid, ":\n")) != NULL) {
if (strlen(p)) {
item = kmalloc(sizeof(*item), GFP_KERNEL);
- if (!item) {
+ if (item)
+ item->spath_p = kmalloc(PATH_MAX, GFP_KERNEL);
+ if (!item || !item->spath_p) {
pr_err
("AltHa: can't get memory processing sysctl\n");
kfree(copy_buffer);
@@ -118,6 +123,7 @@ static int altha_list_handler(struct ctl_table *table, int write,
("AltHa: error lookup '%s'\n", p);
kfree(item);
} else {
+ item->spath=d_path(&item->path,item->spath_p,PATH_MAX);
list_add_tail(&item->list, list_struct);
}
}
@@ -216,16 +222,6 @@ struct altha_readdir_callback {
int found;
};
-int compare_paths(const struct path *path1, const struct path *path2)
-{
- char a1[PATH_MAX];
- char a2[PATH_MAX];
- char* p1, *p2;
- p1=d_path(path1,a1,PATH_MAX);
- p2=d_path(path2,a2,PATH_MAX);
- return strcmp(p1,p2);
-}
-
int is_olock_dir(struct inode *inode)
{
struct altha_list_struct *node;
@@ -246,10 +242,13 @@ static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct file * f
{
struct altha_list_struct *node;
/* when it's not a shebang issued script interpreter */
- if (rstrscript_enabled && bprm->filename == bprm->interp) {
+ if (rstrscript_enabled && bprm->executable == bprm->interpreter) {
+ char path_buffer[PATH_MAX];
+ char *path_p;
+ path_p = d_path(&bprm->file->f_path,path_buffer,PATH_MAX);
down_read(&interpreters_sem);
list_for_each_entry(node, &interpreters_list, list) {
- if (compare_paths(&bprm->file->f_path, &node->path) == 0) {
+ if (strcmp(path_p, node->spath) == 0) {
uid_t cur_uid = from_kuid(bprm->cred->user_ns,
bprm->cred->uid);
pr_notice_ratelimited
@@ -263,10 +262,13 @@ static int altha_bprm_creds_from_file(struct linux_binprm *bprm, struct file * f
}
if (unlikely(nosuid_enabled &&
!uid_eq(bprm->cred->uid, bprm->cred->euid))) {
+ char path_buffer[PATH_MAX];
+ char *path_p;
uid_t cur_uid = from_kuid(bprm->cred->user_ns, bprm->cred->uid);
+ path_p = d_path(&bprm->file->f_path,path_buffer,PATH_MAX);
down_read(&nosuid_exceptions_sem);
list_for_each_entry(node, &nosuid_exceptions_list, list) {
- if (compare_paths(&bprm->file->f_path, &node->path) == 0) {
+ if (strcmp(path_p, node->spath) == 0) {
pr_notice_ratelimited
("AltHa/NoSUID: %s permitted to setuid from %d\n",
bprm->filename, cur_uid);
--
2.25.1

658
aufs-k510.diff Normal file
View file

@ -0,0 +1,658 @@
diff --git a/fs/aufs/branch.h b/fs/aufs/branch.h
index 594c8bd674b2..82c24958edd8 100644
--- a/fs/aufs/branch.h
+++ b/fs/aufs/branch.h
@@ -241,10 +241,8 @@ int au_xino_read(struct super_block *sb, aufs_bindex_t bindex, ino_t h_ino,
ino_t *ino);
int au_xino_write(struct super_block *sb, aufs_bindex_t bindex, ino_t h_ino,
ino_t ino);
-ssize_t xino_fread(vfs_readf_t func, struct file *file, void *buf, size_t size,
- loff_t *pos);
-ssize_t xino_fwrite(vfs_writef_t func, struct file *file, void *buf,
- size_t size, loff_t *pos);
+ssize_t xino_fread(struct file *file, void *buf, size_t size, loff_t *pos);
+ssize_t xino_fwrite(struct file *file, void *buf, size_t size, loff_t *pos);
int au_xib_trunc(struct super_block *sb);
int au_xino_trunc(struct super_block *sb, aufs_bindex_t bindex, int idx_begin);
diff --git a/fs/aufs/cpup.c b/fs/aufs/cpup.c
index 492442339b6c..50141f5a45f9 100644
--- a/fs/aufs/cpup.c
+++ b/fs/aufs/cpup.c
@@ -569,32 +569,19 @@ static int au_do_cpup_regular(struct au_cp_generic *cpg,
static int au_do_cpup_symlink(struct path *h_path, struct dentry *h_src,
struct inode *h_dir)
{
- int err, symlen;
- mm_segment_t old_fs;
- union {
- char *k;
- char __user *u;
- } sym;
+ int err;
+ DEFINE_DELAYED_CALL(done);
+ const char *sym;
- err = -ENOMEM;
- sym.k = (void *)__get_free_page(GFP_NOFS);
- if (unlikely(!sym.k))
+ sym = vfs_get_link(h_src, &done);
+ err = PTR_ERR(sym);
+ if (IS_ERR(sym))
goto out;
- /* unnecessary to support mmap_sem since symlink is not mmap-able */
- old_fs = get_fs();
- set_fs(KERNEL_DS);
- symlen = vfs_readlink(h_src, sym.u, PATH_MAX);
- err = symlen;
- set_fs(old_fs);
-
- if (symlen > 0) {
- sym.k[symlen] = 0;
- err = vfsub_symlink(h_dir, h_path, sym.k);
- }
- free_page((unsigned long)sym.k);
+ err = vfsub_symlink(h_dir, h_path, sym);
out:
+ do_delayed_call(&done);
return err;
}
diff --git a/fs/aufs/dynop.c b/fs/aufs/dynop.c
index 837f94d49f74..4732edb340d7 100644
--- a/fs/aufs/dynop.c
+++ b/fs/aufs/dynop.c
@@ -180,6 +180,7 @@ static void dy_aop(struct au_dykey *key, const void *h_op,
DySetAop(writepages);
DySetAop(set_page_dirty);
DySetAop(readpages);
+ DySetAop(readahead);
DySetAop(write_begin);
DySetAop(write_end);
DySetAop(bmap);
diff --git a/fs/aufs/export.c b/fs/aufs/export.c
index 842df6f05517..f883d2bf5325 100644
--- a/fs/aufs/export.c
+++ b/fs/aufs/export.c
@@ -121,8 +121,7 @@ void au_xigen_inc(struct inode *inode)
pos = inode->i_ino;
pos *= sizeof(igen);
igen = inode->i_generation + 1;
- sz = xino_fwrite(sbinfo->si_xwrite, sbinfo->si_xigen, &igen,
- sizeof(igen), &pos);
+ sz = xino_fwrite(sbinfo->si_xigen, &igen, sizeof(igen), &pos);
if (sz == sizeof(igen))
return; /* success */
@@ -164,10 +163,10 @@ int au_xigen_new(struct inode *inode)
if (vfsub_f_size_read(file)
< pos + sizeof(inode->i_generation)) {
inode->i_generation = atomic_inc_return(&sbinfo->si_xigen_next);
- sz = xino_fwrite(sbinfo->si_xwrite, file, &inode->i_generation,
+ sz = xino_fwrite(file, &inode->i_generation,
sizeof(inode->i_generation), &pos);
} else
- sz = xino_fread(sbinfo->si_xread, file, &inode->i_generation,
+ sz = xino_fread(file, &inode->i_generation,
sizeof(inode->i_generation), &pos);
if (sz == sizeof(inode->i_generation))
goto out; /* success */
diff --git a/fs/aufs/f_op.c b/fs/aufs/f_op.c
index 9894e2124bd5..37eb4f6bcc23 100644
--- a/fs/aufs/f_op.c
+++ b/fs/aufs/f_op.c
@@ -242,34 +242,6 @@ static void au_write_post(struct inode *inode, struct file *h_file,
fput(h_file);
}
-static ssize_t aufs_read(struct file *file, char __user *buf, size_t count,
- loff_t *ppos)
-{
- ssize_t err;
- struct inode *inode;
- struct file *h_file;
- struct super_block *sb;
-
- inode = file_inode(file);
- sb = inode->i_sb;
- si_read_lock(sb, AuLock_FLUSH | AuLock_NOPLMW);
-
- h_file = au_read_pre(file, /*keep_fi*/0, /*lsc*/0);
- err = PTR_ERR(h_file);
- if (IS_ERR(h_file))
- goto out;
-
- /* filedata may be obsoleted by concurrent copyup, but no problem */
- err = vfsub_read_u(h_file, buf, count, ppos);
- /* todo: necessary? */
- /* file->f_ra = h_file->f_ra; */
- au_read_post(inode, h_file);
-
-out:
- si_read_unlock(sb);
- return err;
-}
-
/*
* todo: very ugly
* it locks both of i_mutex and si_rwsem for read in safe.
@@ -292,33 +264,6 @@ static void au_mtx_and_read_lock(struct inode *inode)
}
}
-static ssize_t aufs_write(struct file *file, const char __user *ubuf,
- size_t count, loff_t *ppos)
-{
- ssize_t err;
- struct au_write_pre wpre;
- struct inode *inode;
- struct file *h_file;
- char __user *buf = (char __user *)ubuf;
-
- inode = file_inode(file);
- au_mtx_and_read_lock(inode);
-
- wpre.lsc = 0;
- h_file = au_write_pre(file, /*do_ready*/1, &wpre);
- err = PTR_ERR(h_file);
- if (IS_ERR(h_file))
- goto out;
-
- err = vfsub_write_u(h_file, buf, count, ppos);
- au_write_post(inode, h_file, &wpre, err);
-
-out:
- si_read_unlock(inode->i_sb);
- inode_unlock(inode);
- return err;
-}
-
static ssize_t au_do_iter(struct file *h_file, int rw, struct kiocb *kio,
struct iov_iter *iov_iter)
{
@@ -788,8 +733,6 @@ const struct file_operations aufs_file_fop = {
.llseek = default_llseek,
- .read = aufs_read,
- .write = aufs_write,
.read_iter = aufs_read_iter,
.write_iter = aufs_write_iter,
diff --git a/fs/aufs/file.c b/fs/aufs/file.c
index b0075b57d8bc..53d0f16c3bab 100644
--- a/fs/aufs/file.c
+++ b/fs/aufs/file.c
@@ -790,6 +790,10 @@ static ssize_t aufs_direct_IO(struct kiocb *iocb, struct iov_iter *iter)
/* they will never be called. */
#ifdef CONFIG_AUFS_DEBUG
+/*
+void aufs_readahead(struct readahead_control *)
+{ AuUnsupport(); }
+*/
static int aufs_write_begin(struct file *file, struct address_space *mapping,
loff_t pos, unsigned len, unsigned flags,
struct page **pagep, void **fsdata)
diff --git a/fs/aufs/hfsnotify.c b/fs/aufs/hfsnotify.c
index cb4eeb1e6069..d0abe8ac783f 100644
--- a/fs/aufs/hfsnotify.c
+++ b/fs/aufs/hfsnotify.c
@@ -160,8 +160,8 @@ static void au_hfsn_free_group(struct fsnotify_group *group)
}
static int au_hfsn_handle_event(struct fsnotify_group *group,
- struct inode *inode,
u32 mask, const void *data, int data_type,
+ struct inode *dir,
const struct qstr *file_name, u32 cookie,
struct fsnotify_iter_info *iter_info)
{
@@ -178,7 +178,7 @@ static int au_hfsn_handle_event(struct fsnotify_group *group,
if (mask & (FS_IN_IGNORED | FS_UNMOUNT))
goto out;
- h_dir = inode;
+ h_dir = dir;
h_inode = NULL;
#ifdef AuDbgHnotify
au_debug_on();
diff --git a/fs/aufs/super.h b/fs/aufs/super.h
index c0cb0051242c..4638331366b7 100644
--- a/fs/aufs/super.h
+++ b/fs/aufs/super.h
@@ -131,8 +131,6 @@ struct au_sbinfo {
unsigned int si_mntflags;
/* external inode number (bitmap and translation table) */
- vfs_readf_t si_xread;
- vfs_writef_t si_xwrite;
loff_t si_ximaxent; /* max entries in a xino */
struct file *si_xib;
diff --git a/fs/aufs/vfsub.c b/fs/aufs/vfsub.c
index a5e10c5c004f..de875cd4eedc 100644
--- a/fs/aufs/vfsub.c
+++ b/fs/aufs/vfsub.c
@@ -513,22 +513,17 @@ ssize_t vfsub_read_u(struct file *file, char __user *ubuf, size_t count,
return err;
}
-/* todo: kernel_read()? */
ssize_t vfsub_read_k(struct file *file, void *kbuf, size_t count,
loff_t *ppos)
{
ssize_t err;
- mm_segment_t oldfs;
- union {
- void *k;
- char __user *u;
- } buf;
-
- buf.k = kbuf;
- oldfs = get_fs();
- set_fs(KERNEL_DS);
- err = vfsub_read_u(file, buf.u, count, ppos);
- set_fs(oldfs);
+
+ lockdep_off();
+ err = kernel_read(file, kbuf, count, ppos);
+ lockdep_on();
+ AuTraceErr(err);
+ if (err >= 0)
+ vfsub_update_h_iattr(&file->f_path, /*did*/NULL); /*ignore*/
return err;
}
@@ -548,17 +543,12 @@ ssize_t vfsub_write_u(struct file *file, const char __user *ubuf, size_t count,
ssize_t vfsub_write_k(struct file *file, void *kbuf, size_t count, loff_t *ppos)
{
ssize_t err;
- mm_segment_t oldfs;
- union {
- void *k;
- const char __user *u;
- } buf;
-
- buf.k = kbuf;
- oldfs = get_fs();
- set_fs(KERNEL_DS);
- err = vfsub_write_u(file, buf.u, count, ppos);
- set_fs(oldfs);
+
+ lockdep_off();
+ err = kernel_write(file, kbuf, count, ppos);
+ lockdep_on();
+ if (err >= 0)
+ vfsub_update_h_iattr(&file->f_path, /*did*/NULL); /*ignore*/
return err;
}
diff --git a/fs/aufs/xino.c b/fs/aufs/xino.c
index b3152c0ce0b5..ae7bd07b022d 100644
--- a/fs/aufs/xino.c
+++ b/fs/aufs/xino.c
@@ -660,8 +660,8 @@ struct au_xi_writing {
ino_t h_ino, ino;
};
-static int au_xino_do_write(vfs_writef_t write, struct file *file,
- struct au_xi_calc *calc, ino_t ino);
+static int au_xino_do_write(struct file *file, struct au_xi_calc *calc,
+ ino_t ino);
static void au_xino_call_do_new_async(void *args)
{
@@ -690,7 +690,7 @@ static void au_xino_call_do_new_async(void *args)
file = au_xino_file(br->br_xino, a->calc.idx);
AuDebugOn(!file);
- err = au_xino_do_write(sbi->si_xwrite, file, &a->calc, a->ino);
+ err = au_xino_do_write(file, &a->calc, a->ino);
if (unlikely(err)) {
AuIOErr("err %d\n", err);
goto out;
@@ -791,7 +791,7 @@ int au_xino_read(struct super_block *sb, aufs_bindex_t bindex, ino_t h_ino,
return 0; /* no xino */
sbinfo = au_sbi(sb);
- sz = xino_fread(sbinfo->si_xread, file, ino, sizeof(*ino), &calc.pos);
+ sz = xino_fread(file, ino, sizeof(*ino), &calc.pos);
if (sz == sizeof(*ino))
return 0; /* success */
@@ -803,12 +803,12 @@ int au_xino_read(struct super_block *sb, aufs_bindex_t bindex, ino_t h_ino,
return err;
}
-static int au_xino_do_write(vfs_writef_t write, struct file *file,
- struct au_xi_calc *calc, ino_t ino)
+static int au_xino_do_write(struct file *file, struct au_xi_calc *calc,
+ ino_t ino)
{
ssize_t sz;
- sz = xino_fwrite(write, file, &ino, sizeof(ino), &calc->pos);
+ sz = xino_fwrite(file, &ino, sizeof(ino), &calc->pos);
if (sz == sizeof(ino))
return 0; /* success */
@@ -858,7 +858,7 @@ int au_xino_write(struct super_block *sb, aufs_bindex_t bindex, ino_t h_ino,
goto out;
}
- err = au_xino_do_write(au_sbi(sb)->si_xwrite, file, &calc, ino);
+ err = au_xino_do_write(file, &calc, ino);
if (!err) {
br = au_sbr(sb, bindex);
if (au_opt_test(mnt_flags, TRUNC_XINO)
@@ -872,40 +872,27 @@ int au_xino_write(struct super_block *sb, aufs_bindex_t bindex, ino_t h_ino,
return -EIO;
}
-static ssize_t xino_fread_wkq(vfs_readf_t func, struct file *file, void *buf,
- size_t size, loff_t *pos);
+static ssize_t xino_fread_wkq(struct file *file, void *buf, size_t size,
+ loff_t *pos);
/* todo: unnecessary to support mmap_sem since kernel-space? */
-ssize_t xino_fread(vfs_readf_t func, struct file *file, void *kbuf, size_t size,
- loff_t *pos)
+ssize_t xino_fread(struct file *file, void *kbuf, size_t size, loff_t *pos)
{
ssize_t err;
- mm_segment_t oldfs;
- union {
- void *k;
- char __user *u;
- } buf;
int i;
const int prevent_endless = 10;
i = 0;
- buf.k = kbuf;
- oldfs = get_fs();
- set_fs(KERNEL_DS);
do {
- err = func(file, buf.u, size, pos);
+ err = vfsub_read_k(file, kbuf, size, pos);
if (err == -EINTR
&& !au_wkq_test()
&& fatal_signal_pending(current)) {
- set_fs(oldfs);
- err = xino_fread_wkq(func, file, kbuf, size, pos);
+ err = xino_fread_wkq(file, kbuf, size, pos);
BUG_ON(err == -EINTR);
- oldfs = get_fs();
- set_fs(KERNEL_DS);
}
} while (i++ < prevent_endless
&& (err == -EAGAIN || err == -EINTR));
- set_fs(oldfs);
#if 0 /* reserved for future use */
if (err > 0)
@@ -917,7 +904,6 @@ ssize_t xino_fread(vfs_readf_t func, struct file *file, void *kbuf, size_t size,
struct xino_fread_args {
ssize_t *errp;
- vfs_readf_t func;
struct file *file;
void *buf;
size_t size;
@@ -927,17 +913,16 @@ struct xino_fread_args {
static void call_xino_fread(void *args)
{
struct xino_fread_args *a = args;
- *a->errp = xino_fread(a->func, a->file, a->buf, a->size, a->pos);
+ *a->errp = xino_fread(a->file, a->buf, a->size, a->pos);
}
-static ssize_t xino_fread_wkq(vfs_readf_t func, struct file *file, void *buf,
- size_t size, loff_t *pos)
+static ssize_t xino_fread_wkq(struct file *file, void *buf, size_t size,
+ loff_t *pos)
{
ssize_t err;
int wkq_err;
struct xino_fread_args args = {
.errp = &err,
- .func = func,
.file = file,
.buf = buf,
.size = size,
@@ -951,39 +936,27 @@ static ssize_t xino_fread_wkq(vfs_readf_t func, struct file *file, void *buf,
return err;
}
-static ssize_t xino_fwrite_wkq(vfs_writef_t func, struct file *file, void *buf,
- size_t size, loff_t *pos);
+static ssize_t xino_fwrite_wkq(struct file *file, void *buf, size_t size,
+ loff_t *pos);
-static ssize_t do_xino_fwrite(vfs_writef_t func, struct file *file, void *kbuf,
- size_t size, loff_t *pos)
+static ssize_t do_xino_fwrite(struct file *file, void *kbuf, size_t size,
+ loff_t *pos)
{
ssize_t err;
- mm_segment_t oldfs;
- union {
- void *k;
- const char __user *u;
- } buf;
int i;
const int prevent_endless = 10;
i = 0;
- buf.k = kbuf;
- oldfs = get_fs();
- set_fs(KERNEL_DS);
do {
- err = func(file, buf.u, size, pos);
+ err = vfsub_write_k(file, kbuf, size, pos);
if (err == -EINTR
&& !au_wkq_test()
&& fatal_signal_pending(current)) {
- set_fs(oldfs);
- err = xino_fwrite_wkq(func, file, kbuf, size, pos);
+ err = xino_fwrite_wkq(file, kbuf, size, pos);
BUG_ON(err == -EINTR);
- oldfs = get_fs();
- set_fs(KERNEL_DS);
}
} while (i++ < prevent_endless
&& (err == -EAGAIN || err == -EINTR));
- set_fs(oldfs);
#if 0 /* reserved for future use */
if (err > 0)
@@ -995,7 +968,6 @@ static ssize_t do_xino_fwrite(vfs_writef_t func, struct file *file, void *kbuf,
struct do_xino_fwrite_args {
ssize_t *errp;
- vfs_writef_t func;
struct file *file;
void *buf;
size_t size;
@@ -1005,17 +977,16 @@ struct do_xino_fwrite_args {
static void call_do_xino_fwrite(void *args)
{
struct do_xino_fwrite_args *a = args;
- *a->errp = do_xino_fwrite(a->func, a->file, a->buf, a->size, a->pos);
+ *a->errp = do_xino_fwrite(a->file, a->buf, a->size, a->pos);
}
-static ssize_t xino_fwrite_wkq(vfs_writef_t func, struct file *file, void *buf,
- size_t size, loff_t *pos)
+static ssize_t xino_fwrite_wkq(struct file *file, void *buf, size_t size,
+ loff_t *pos)
{
ssize_t err;
int wkq_err;
struct do_xino_fwrite_args args = {
.errp = &err,
- .func = func,
.file = file,
.buf = buf,
.size = size,
@@ -1033,18 +1004,17 @@ static ssize_t xino_fwrite_wkq(vfs_writef_t func, struct file *file, void *buf,
return err;
}
-ssize_t xino_fwrite(vfs_writef_t func, struct file *file, void *buf,
- size_t size, loff_t *pos)
+ssize_t xino_fwrite(struct file *file, void *buf, size_t size, loff_t *pos)
{
ssize_t err;
if (rlimit(RLIMIT_FSIZE) == RLIM_INFINITY) {
lockdep_off();
- err = do_xino_fwrite(func, file, buf, size, pos);
+ err = do_xino_fwrite(file, buf, size, pos);
lockdep_on();
} else {
lockdep_off();
- err = xino_fwrite_wkq(func, file, buf, size, pos);
+ err = xino_fwrite_wkq(file, buf, size, pos);
lockdep_on();
}
@@ -1095,17 +1065,17 @@ static int xib_pindex(struct super_block *sb, unsigned long pindex)
p = sbinfo->si_xib_buf;
pos = sbinfo->si_xib_last_pindex;
pos *= PAGE_SIZE;
- sz = xino_fwrite(sbinfo->si_xwrite, xib, p, PAGE_SIZE, &pos);
+ sz = xino_fwrite(xib, p, PAGE_SIZE, &pos);
if (unlikely(sz != PAGE_SIZE))
goto out;
pos = pindex;
pos *= PAGE_SIZE;
if (vfsub_f_size_read(xib) >= pos + PAGE_SIZE)
- sz = xino_fread(sbinfo->si_xread, xib, p, PAGE_SIZE, &pos);
+ sz = xino_fread(xib, p, PAGE_SIZE, &pos);
else {
memset(p, 0, PAGE_SIZE);
- sz = xino_fwrite(sbinfo->si_xwrite, xib, p, PAGE_SIZE, &pos);
+ sz = xino_fwrite(xib, p, PAGE_SIZE, &pos);
}
if (sz == PAGE_SIZE) {
sbinfo->si_xib_last_pindex = pindex;
@@ -1156,7 +1126,6 @@ static int do_xib_restore(struct super_block *sb, struct file *file, void *page)
unsigned long pindex;
loff_t pos, pend;
struct au_sbinfo *sbinfo;
- vfs_readf_t func;
ino_t *ino;
unsigned long *p;
@@ -1164,11 +1133,10 @@ static int do_xib_restore(struct super_block *sb, struct file *file, void *page)
sbinfo = au_sbi(sb);
MtxMustLock(&sbinfo->si_xib_mtx);
p = sbinfo->si_xib_buf;
- func = sbinfo->si_xread;
pend = vfsub_f_size_read(file);
pos = 0;
while (pos < pend) {
- sz = xino_fread(func, file, page, PAGE_SIZE, &pos);
+ sz = xino_fread(file, page, PAGE_SIZE, &pos);
err = sz;
if (unlikely(sz <= 0))
goto out;
@@ -1257,7 +1225,7 @@ int au_xib_trunc(struct super_block *sb)
p = sbinfo->si_xib_buf;
memset(p, 0, PAGE_SIZE);
pos = 0;
- sz = xino_fwrite(sbinfo->si_xwrite, sbinfo->si_xib, p, PAGE_SIZE, &pos);
+ sz = xino_fwrite(sbinfo->si_xib, p, PAGE_SIZE, &pos);
if (unlikely(sz != PAGE_SIZE)) {
err = sz;
AuIOErr("err %d\n", err);
@@ -1396,7 +1364,6 @@ static void xino_clear_xib(struct super_block *sb)
SiMustWriteLock(sb);
sbinfo = au_sbi(sb);
- /* unnecessary to clear sbinfo->si_xread and ->si_xwrite */
if (sbinfo->si_xib)
fput(sbinfo->si_xib);
sbinfo->si_xib = NULL;
@@ -1423,8 +1390,6 @@ static int au_xino_set_xib(struct super_block *sb, struct path *path)
if (sbinfo->si_xib)
fput(sbinfo->si_xib);
sbinfo->si_xib = file;
- sbinfo->si_xread = vfs_readf(file);
- sbinfo->si_xwrite = vfs_writef(file);
xi_sb = file_inode(file)->i_sb;
sbinfo->si_ximaxent = xi_sb->s_maxbytes;
if (unlikely(sbinfo->si_ximaxent < PAGE_SIZE)) {
@@ -1445,8 +1410,7 @@ static int au_xino_set_xib(struct super_block *sb, struct path *path)
sbinfo->si_xib_next_bit = 0;
if (vfsub_f_size_read(file) < PAGE_SIZE) {
pos = 0;
- err = xino_fwrite(sbinfo->si_xwrite, file, sbinfo->si_xib_buf,
- PAGE_SIZE, &pos);
+ err = xino_fwrite(file, sbinfo->si_xib_buf, PAGE_SIZE, &pos);
if (unlikely(err != PAGE_SIZE))
goto out_free;
}
@@ -1497,7 +1461,6 @@ static void au_xino_set_br_shared(struct super_block *sb, struct au_branch *br,
}
struct au_xino_do_set_br {
- vfs_writef_t writef;
struct au_branch *br;
ino_t h_ino;
aufs_bindex_t bshared;
@@ -1539,7 +1502,7 @@ static int au_xino_do_set_br(struct super_block *sb, struct path *path,
goto out;
AuDebugOn(!file);
- err = au_xino_do_write(args->writef, file, &calc, AUFS_ROOT_INO);
+ err = au_xino_do_write(file, &calc, AUFS_ROOT_INO);
if (unlikely(err))
au_xino_put(br);
@@ -1559,7 +1522,6 @@ static int au_xino_set_br(struct super_block *sb, struct path *path)
bbot = au_sbbot(sb);
inode = d_inode(sb->s_root);
- args.writef = au_sbi(sb)->si_xwrite;
for (bindex = 0; bindex <= bbot; bindex++) {
args.h_ino = au_h_iptr(inode, bindex)->i_ino;
args.br = au_sbr(sb, bindex);
@@ -1714,7 +1676,6 @@ int au_xino_init_br(struct super_block *sb, struct au_branch *br, ino_t h_ino,
.br = br
};
- args.writef = au_sbi(sb)->si_xwrite;
args.bshared = sbr_find_shared(sb, /*btop*/0, au_sbbot(sb),
au_br_sb(br));
err = au_xino_do_set_br(sb, base, &args);
@@ -1798,7 +1759,6 @@ void au_xino_delete_inode(struct inode *inode, const int unlinked)
struct au_hinode *hi;
struct inode *h_inode;
struct au_branch *br;
- vfs_writef_t xwrite;
struct au_xi_calc calc;
struct file *file;
@@ -1820,7 +1780,6 @@ void au_xino_delete_inode(struct inode *inode, const int unlinked)
if (bindex < 0)
return;
- xwrite = au_sbi(sb)->si_xwrite;
try_trunc = !!au_opt_test(mnt_flags, TRUNC_XINO);
hi = au_hinode(iinfo, bindex);
bbot = iinfo->ii_bbot;
@@ -1841,7 +1800,7 @@ void au_xino_delete_inode(struct inode *inode, const int unlinked)
if (IS_ERR_OR_NULL(file))
continue;
- err = au_xino_do_write(xwrite, file, &calc, /*ino*/0);
+ err = au_xino_do_write(file, &calc, /*ino*/0);
if (!err && try_trunc
&& au_test_fs_trunc_xino(au_br_sb(br)))
xino_try_trunc(sb, br);

133
fs-aufs-2.patch
View file

@ -1,133 +0,0 @@
From 4d4c05a8901e313264433db69cc3374cef5164f6 Mon Sep 17 00:00:00 2001
From: Mauricio Faria de Oliveira <mfo@canonical.com>
Date: Mon, 29 Jun 2020 15:31:22 -0300
Subject: aufs: do not call i_readcount_inc()
The 'struct inode.i_readcount' field is maintained at the VFS, and
should not be modified by filesystems. But aufs does in one place,
which causes it to be unbalanced.
This started with Linux v2.6.39 commit 890275b5eb79 ("IMA: maintain
i_readcount in the VFS layer"), which moved the i_readcount updates
from IMA into the VFS (at the same places IMA was called previously)
and introduced 'mutex_lock(i_mutex)' in the ima_file_check() path.
The former change is functionally equivalent, thus no changes are
needed in response to it.
The latter change, on the other hand, is _not_; and is reported to
cause a deadlock in aufs (see below), thus it dropped the call to
ima_file_check().
However, when dropping the ima_file_check() call, aufs introduced
the i_readcount_inc() call as well, which according to the commit
changes is not necessary.
This can be observed in aufs2-standalone.git commit 1dbd1c864e455
("aufs2.1 standalone version for linux-2.6."), announced to the
aufs-users mailing list on 2011-04-04 [1].
diff --git a/ChangeLog b/ChangeLog
...
+commit 17eac367b03334e57a93e8051eb712add24d2534
+Author: J. R. Okajima <hooanon05@yahoo.co.jp>
+Date: Fri Apr 1 16:31:22 2011 +0900
+
+ aufs: for 2.6.39, limit the support for IMA
+
+ Since it acquires i_mutex and causes a deadlock, replace a
+ ima_file_check() call by i_readcount_inc().
+
+ Signed-off-by: J. R. Okajima <hooanon05@yahoo.co.jp>
...
diff --git a/fs/aufs/vfsub.c b/fs/aufs/vfsub.c
...
struct file *vfsub_dentry_open(struct path *path, int flags)
...
+ if (!IS_ERR_OR_NULL(file)
+ && (file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
+ i_readcount_inc(path->dentry->d_inode);
- err = ima_file_check(file, au_conv_oflags(flags));
...
Apparently, this might have been a misunderstanding of one hunk in
the 2.6.39 commit, that deletes the lines to increment i_readcount,
and adds the lines to acquire i_mutex.
It reuses code from the removed function ima_counts_get() to create
ima_rdwr_violation_check(), and another hunk calls the new function
from ima_file_check(). But note that the i_readcount increment was
_not_ called from ima_file_check() previously, via ima_counts_get():
-void ima_counts_get(struct file *file)
+static void ima_rdwr_violation_check(struct file *file)
{
...
+ mutex_lock(&inode->i_mutex); /* file metadata: permissions, xattr */
...
- atomic_inc(&inode->i_readcount);
#@@ -318,6 +308,7 @@ int ima_file_check(struct file *file, int mask)
...
+ ima_rdwr_violation_check(file);
So, in order to avoid the unbalance caused to i_readcount, drop the
i_readcount_inc() call.
Note the issue is not the lack of a corresponding i_readcount_dec()
call; it's the mere usage of these functions outside of VFS layer,
where i_readcount is maintained.
Links:
[1] https://sourceforge.net/p/aufs/mailman/message/27304125/
snippet:
"""
aufs2 Monday GIT release
From: <sfjro@us...> - 2011-04-04 04:59:18
o news
- begin supporting linux-2.6.39-rcN.
...
- aufs2-2.6.git#aufs2.1 branch
...
aufs: for 2.6.39, limit the support for IMA
...
"""
Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
(cherry picked from commit 515a586eeef31e0717d5dea21e2c11a965340b3c aufs4-linux.git)
CVE-2020-11935
Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
Acked-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
---
fs/aufs/vfsub.c | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/fs/aufs/vfsub.c b/fs/aufs/vfsub.c
index e954cd7..a5e10c5 100644
--- a/fs/aufs/vfsub.c
+++ b/fs/aufs/vfsub.c
@@ -76,15 +76,8 @@ int vfsub_update_h_iattr(struct path *h_path, int *did)
struct file *vfsub_dentry_open(struct path *path, int flags)
{
- struct file *file;
-
- file = dentry_open(path, flags /* | __FMODE_NONOTIFY */,
+ return dentry_open(path, flags /* | __FMODE_NONOTIFY */,
current_cred());
- if (!IS_ERR_OR_NULL(file)
- && (file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
- i_readcount_inc(d_inode(path->dentry));
-
- return file;
}
struct file *vfsub_filp_open(const char *path, int oflags, int mode)
--
cgit v1.1

129
kernel.spec
View file

@ -19,12 +19,12 @@
%global _find_debuginfo_dwz_opts %{nil}
%define kernelversion 5
%define patchlevel 4
%define patchlevel 10
# sublevel is used for stable-based kernels
%define sublevel 83
%define sublevel 1
# Release number. Increase this before a rebuild.
%define rpmrel 2
%define rpmrel 1
%define fullrpmrel %{rpmrel}
%define rpmtag %{disttag}
@ -98,6 +98,16 @@
%bcond_with ccache
%bcond_without flow_abi
# 1. VirtualBox is for x86_32 and x86_64 only
# 2. I do not know how to solve the problem that userspace part of VirtualBox
# will be updated ahead of these binary modules. So just off building them.
%bcond_with binary_virtualbox_host
# shredder-kernel works only on x86_64, makes manipulations with syscalls tables,
# loading/unloading of the module failed sometimes on kernel 5.4
# and it has not been adapted for kernel 5.10 (is not buildable)
%bcond_with binary_shredder
# Kernel flavour
%if %{with nickel}
%define flavour nickel
@ -146,12 +156,9 @@
%define build_debug 1
# Build kernel-headers package
# Make headers of this kernel not default for rosa2016.1
%if %{mdvver} <= 201610
# Headers from LTS kernel 5.4 are default in rosa2019.1/05 for now
# and headers from 4.15 are default in rosa2016.1
%define build_headers 0
%else
%define build_headers 1
%endif
# build perf and cpupower tools
%define build_perf 1
@ -230,7 +237,7 @@ Source0: https://cdn.kernel.org/pub/linux/kernel/v%{kernelversion}.x/linux-%{ta
# This is for disabling *config, mrproper, prepare, scripts on -devel rpms
# Needed, because otherwise the -devel won't build correctly.
Source2: disable-mrproper-prepare-scripts-configs-in-devel-rpms.patch
Source2: 0001-disable-mrproper-prepare-scripts-configs-in-devel-rp.patch
# TODO: make a separate package "ksobirator" and BR it
# after testing these macros properly
@ -271,15 +278,17 @@ Patch1: https://cdn.kernel.org/pub/linux/kernel/v%{kernelversion}.x/patch-%{k
# generated during that process, xmlto tries to get DTD files from the Net.
# If it fails, the whole build fails, which is unfortunate. Let us avoid
# this.
Patch101: perf-xmlto-skip-validation.patch
Patch101: 0001-perf-skip-xmlto-validation.patch
# http://bugs.rosalinux.ru/show_bug.cgi?id=6235
# http://bugs.rosalinux.ru/show_bug.cgi?id=6459
Patch102: audit-make-it-less-verbose.patch
Patch102: 0001-audit-make-it-less-verbose.patch
# AUFS 5 from http://aufs.sourceforge.net/
Patch109: fs-aufs.patch
Patch110: fs-aufs-2.patch
Patch109: 0001-Apply-AUFS-5.patch
# Unofficial AUFS for kernel 5.10
# https://sourceforge.net/projects/lxpup/files/Other/huge-kernels/kernel-5.10-aufs-changes/
Patch110: aufs-k510.diff
# For kmod() generator of RPM Provides
# Changes version of aacraid.ko
@ -291,13 +300,11 @@ Patch111: 0001-Remove-RPM-illegal-chars-from-module-version.patch
# TODO: known problem: https://bugzilla.altlinux.org/show_bug.cgi?id=38225
Patch201: 0001-AltHa-LSM-module.patch
Patch202: 0002-Documentation-for-AltHa-LSM.patch
Patch203: 0003-security-altha-altha_lsm.c-build-fixed-with-kernel-5.patch
Patch204: 0004-altha-use-path-strings-instead-of-path-structs.patch
# Other patches
Patch301: objtool-sync-check.sh-set-the-exit-code-explicitly.patch
# sent to upstream, https://patchwork.kernel.org/patch/11446123/
Patch302: 0001-sign-file-full-functionality-with-modern-LibreSSL.patch
# Add sysctl to disable disk-based swap
Patch304: 0001-mm-add-sysctl-to-disable-disk-based-swap.patch
# Support loading GOST-signed modules
Patch305: 0001-crypto-support-loading-GOST-signed-kernel-modules.patch
# Allow to off modules signature check dynamically
@ -361,14 +368,10 @@ BuildRequires: findutils util-linux
%if %{with binary_extra_modules}
BuildRequires: kernel-source-rtl8821ce
BuildRequires: kernel-source-tripso
%ifarch %{ix86} %{x86_64}
%if %{with binary_virtualbox_host}
BuildRequires: kernel-source-virtualbox
# TODO: drop it for kernels >= 5.6
# because all guest modules have been upstreamized
# https://www.phoronix.com/scan.php?page=news_item&px=VirtualBox-Shared-Folder-5.6
BuildRequires: kernel-source-virtualbox-vboxadditions
%endif
%ifarch %{x86_64}
%if %{with binary_shredder}
BuildRequires: kernel-source-shredder-kernel
%endif
# rosa-test-suite is maintained in certified branches only
@ -595,9 +598,11 @@ find /lib/modules/%{kver_full} -maxdepth 0 -empty -exec rm -rf {} \; || true
%{devel_root}/include/generated
%{devel_root}/include/keys
%{devel_root}/include/kvm
%{devel_root}/include/kunit
%{devel_root}/include/linux
%{devel_root}/include/math-emu
%{devel_root}/include/media
%{devel_root}/include/memory
%{devel_root}/include/misc
%{devel_root}/include/net
%{devel_root}/include/pcmcia
@ -933,21 +938,22 @@ latest kernel-uml-modules-%{flavour} %{kernelversion}.%{patchlevel}.x
%if %{with binary_extra_modules}
%ksob_mk_module_pkg -n 8821ce -s net/wireless
%ksob_mk_module_pkg -n 8821ce -s net/wireless -r rtl8821ce-blacklist
%ksob_mk_module_pkg -n xt_TRIPSO -s net -r tripso
%ifarch %{x86_64}
%if %{with binary_shredder}
%ksob_mk_module_pkg -n shredder-kernel -s extra -r rosa-shredder-user
%endif
#------------------------------------------------
# virtualbox host
%ifarch %{ix86} %{x86_64}
%if %{with binary_virtualbox_host}
%ksob_mk_module_pkg -n vboxnetflt -s misc
%ksob_mk_module_pkg -n vboxnetadp -s misc
%ksob_mk_module_pkg -n vboxdrv -s misc
%ksob_mk_module_pkg -n vboxpci -s misc
#------------------------------------------------
# a package which will pull all those modules
%package -n kernel-modules-virtualbox-host-%{flavour}-%{kernelversion}.%{patchlevel}-latest
Summary: Meta package to pull VirtualBox host kernel modules for kernel-%{flavour}-%{kernelversion}.%{patchlevel}
@ -964,31 +970,7 @@ Meta package to pull VirtualBox host kernel modules for kernel-%{flavour}-%{kern
%files -n kernel-modules-virtualbox-host-%{flavour}-%{kernelversion}.%{patchlevel}-latest
# empty
#------------------------------------------------
# virtualbox guest, to be dropped in kernels 5.6+ (upsreamized)
%ksob_mk_module_pkg -n vboxvideo -s misc
%ksob_mk_module_pkg -n vboxguest -s misc
%ksob_mk_module_pkg -n vboxsf -s misc
#------------------------------------------------
# a package which will pull all those modules
%package -n kernel-modules-virtualbox-guest-%{flavour}-%{kernelversion}.%{patchlevel}-latest
Summary: Meta package to pull VirtualBox guest kernel modules for kernel-%{flavour}-%{kernelversion}.%{patchlevel}
Group: System/Kernel and hardware
Version: %{kversion}
Release: %{fullrpmrel}
Requires: kernel-module-vboxvideo-%{flavour}-%{buildrel}
Requires: kernel-module-vboxguest-%{flavour}-%{buildrel}
Requires: kernel-module-vboxsf-%{flavour}-%{buildrel}
%description -n kernel-modules-virtualbox-guest-%{flavour}-%{kernelversion}.%{patchlevel}-latest
Meta package to pull VirtualBox guest kernel modules for kernel-%{flavour}-%{kernelversion}.%{patchlevel}
%files -n kernel-modules-virtualbox-guest-%{flavour}-%{kernelversion}.%{patchlevel}-latest
# end ifarch
%endif
# empty
%endif #ifarch x86
#------------------------------------------------
%if %{with nickel}
@ -1133,23 +1115,11 @@ for i in STREEBOG SHA1 SHA256 SHA512 ECRDSA RSA ; do
done
sed -i '/CONFIG_LSM/d' .config
echo 'CONFIG_LSM="yama,loadpin,integrity,selinux,apparmor,altha"' >> %{build_dir}/.config.append
echo 'CONFIG_LSM="yama,loadpin,integrity,selinux,apparmor,bpf,altha"' >> %{build_dir}/.config.append
sed -i '/CONFIG_SECURITY_ALTHA/d' .config
echo 'CONFIG_SECURITY_ALTHA=y' >> %{build_dir}/.config.append
%endif
# Disable disk-based swap (swap files and partitions) on certified systems by default
# because we cannot guarantee that data stored in swap is erased from disk securely.
# Our patch, based on Chromium OS kernel, allows to use only zram if CONFIG_DISK_BASED_SWAP_DEFAULT_ON=y.
# sysctl vm.disk_based_swap = 1 to allow disk-based swap, = 0 to disable it.
# Note that CONFIG_ZRAM_WRITEBACK is still on.
#sed -i '/CONFIG_DISK_BASED_SWAP_DEFAULT_ON/d' .config
#%if %{with nickel}
#echo 'CONFIG_DISK_BASED_SWAP_DEFAULT_ON=n' >> %{build_dir}/.config.append
#%else
echo 'CONFIG_DISK_BASED_SWAP_DEFAULT_ON=y' >> %{build_dir}/.config.append
#%endif
cat %{build_dir}/.config.append >> .config
# Store the config file in the appropriate directory.
@ -1381,7 +1351,7 @@ cp xt_TRIPSO.ko %{temp_modules}/%{kver_full}/kernel/net/
popd
rm -fr kernel-source-tripso
%ifarch %{x86_64}
%if %{with binary_shredder}
cp -r "$(rpm -q --qf '/usr/src/shredder-kernel-%%{VERSION}-%%{RELEASE}' kernel-source-shredder-kernel)" kernel-source-shredder-kernel
pushd kernel-source-shredder-kernel
%kmake KERNEL_PATH=%{src_dir}
@ -1391,25 +1361,8 @@ popd
rm -fr kernel-source-shredder-kernel
%endif
%ifarch %{ix86} %{x86_64}
%if %{with binary_virtualbox_host}
# build commands for virtualbox are based on the ones from the virtualbox package
cp -r "$(rpm -q --qf '/usr/src/vboxadditions-%%{VERSION}-%%{RELEASE}' kernel-source-virtualbox-vboxadditions)" kernel-source-virtualbox-vboxadditions
mkdir -p %{temp_modules}/%{kver_full}/kernel/misc/
pushd kernel-source-virtualbox-vboxadditions
%kmake KERN_DIR=%{src_dir} KERN_VER=%{kver_full} -C vboxguest
cp -fv vboxguest/Module.symvers vboxsf/
%kmake KERN_DIR=%{src_dir} KERN_VER=%{kver_full} -C vboxsf
# TODO: vboxvideo is also build inside the upstream kernel...
# vboxsf is not in kernel 5.4
# https://www.phoronix.com/scan.php?page=news_item&px=VirtualBox-Shared-Folder-5.6
cp -fv vboxsf/Module.symvers vboxvideo/
%kmake KERN_DIR=%{src_dir} KERN_VER=%{kver_full} -C vboxvideo
for i in vboxguest vboxsf vboxvideo
do
cp -v "${i}/${i}.ko" %{temp_modules}/%{kver_full}/kernel/misc/
done
popd
cp -r "$(rpm -q --qf '/usr/src/virtualbox-%%{VERSION}-%%{RELEASE}' kernel-source-virtualbox)" kernel-source-virtualbox
mkdir -p %{temp_modules}/%{kver_full}/kernel/misc/
pushd kernel-source-virtualbox
@ -1626,12 +1579,12 @@ cat > $kernel_files <<EOF
%if %{with binary_extra_modules}
# 8821ce.ko.debug will not be excluded and will be in the main debug subpackage
%exclude %{_modulesdir}/%{kver_full}/kernel/net/wireless/8821ce.ko%{kmod_suffix}
%ifarch %{x86_64}
%if %{with binary_shredder}
%exclude %{_modulesdir}/%{kver_full}/kernel/extra/shredder-kernel.ko%{kmod_suffix}
%endif
%ifarch %{ix86} %{x86_64}
# vbox host: vboxnetflt vboxnetadp vboxdrv vboxpci
# vbox guest: vboxvideo vboxguest vboxsf
%if %{with binary_virtualbox_host}
# vbox host modules may be built here (vboxnetflt vboxnetadp vboxdrv vboxpci)
# vbox guest modules are in the mainline kernel now (vboxvideo vboxguest vboxsf)
%exclude %{_modulesdir}/%{kver_full}/kernel/misc/vbox*.ko%{kmod_suffix}
%endif
%exclude %{_modulesdir}/%{kver_full}/kernel/net/xt_TRIPSO.ko%{kmod_suffix}

32
objtool-sync-check.sh-set-the-exit-code-explicitly.patch
View file

@ -1,32 +0,0 @@
From 6b70660e7d730b1ef79360ba7c23fc9f1d4b60e3 Mon Sep 17 00:00:00 2001
From: Evgenii Shatokhin <eshatokhin@virtuozzo.com>
Date: Sat, 7 Mar 2020 19:23:40 +0300
Subject: [PATCH] objtool/sync-check.sh: set the exit code explicitly
Commit 6ec14aa7a58a "objtool: Silence build output" removed 'cd -' from
the end of sync-check.sh script. As a side-effect, the script now exits
with the exit code of the last executed 'check' command. If any of the
files it should check are missing (which is not an error per se), it will
return 1 and objtool will fail to build.
Explicit 'exit 0' at the end should fix that.
Fixes: 6ec14aa7a58a "objtool: Silence build output"
Signed-off-by: Evgenii Shatokhin <eshatokhin@virtuozzo.com>
---
tools/objtool/sync-check.sh | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/objtool/sync-check.sh b/tools/objtool/sync-check.sh
index 2a1261bfbb62..f23bd02c1b77 100755
--- a/tools/objtool/sync-check.sh
+++ b/tools/objtool/sync-check.sh
@@ -48,3 +48,5 @@ check arch/x86/include/asm/inat.h '-I "^#include [\"<]\(asm/\)*inat_types.h[
check arch/x86/include/asm/insn.h '-I "^#include [\"<]\(asm/\)*inat.h[\">]"'
check arch/x86/lib/inat.c '-I "^#include [\"<]\(../include/\)*asm/insn.h[\">]"'
check arch/x86/lib/insn.c '-I "^#include [\"<]\(../include/\)*asm/in\(at\|sn\).h[\">]"'
+
+exit 0
--
2.24.0