5.14.13-xanmod1

2025-02-24 01:22:47 +00:00 · 2021-10-21 22:47:53 +03:00 · 2021-10-21 22:47:53 +03:00 · 9477ab1a9a
commit 9477ab1a9a
parent 1fbfa2238a
13 changed files with 1061 additions and 564 deletions
--- a/.abf.yml
+++ b/.abf.yml
@ -1,5 +1,4 @@
 sources:
  linux-5.14.tar.xz: 82c1b2888febfe12510a8e83e09b7652c606ffda
  patch-5.14.13-xanmod1.xz: ce79c3af8a2f3bdfdecdb1c690753a7e9aa53ea6
-
+  
--- a/0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch
+++ b/0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch
@ -0,0 +1,37 @@
 From 36dc5cf3039c0751fe95370a247ca1c23c06571c Mon Sep 17 00:00:00 2001
 From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 Date: Mon, 10 Aug 2020 10:38:20 +0300
 Subject: [PATCH] ROSA: ima: allow to off modules signature check dynamically
 Allow module.sig_enforce=0 kernel cmdline, not only module.sig_enforce=1
 It allows to keep CONFIG_MODULE_SIG_FORCE=y, but disable it when really needed
 without recompiling the kernel (it may be impossible, e.g. in certified systems).
 GRUB or another bootloader is password-protected when needed,
 so I am not afraid much that someone will be able to turn it off when not needed.
 ROSA-specific patch.
 This violates requirements of "secure boot", but currently we do not have secure boot in ROSA.
 Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 ---
 kernel/module.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/kernel/module.c b/kernel/module.c
 index 6baa1080c..118d8ee60 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
@@ -274,7 +274,7 @@
 #ifdef CONFIG_MODULE_SIG
 static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
 -module_param(sig_enforce, bool_enable_only, 0644);
 +module_param(sig_enforce, bool, 0644);
 void set_module_sig_enforced(void)
 {
 -- 
 2.17.1
--- a/0001-audit-make-it-less-verbose.patch
+++ b/0001-audit-make-it-less-verbose.patch
@ -0,0 +1,34 @@
 From edce12c92c0d1e02a6f41344290ee7adee745ef4 Mon Sep 17 00:00:00 2001
 From: Evgenii Shatokhin <eugene.shatokhin@rosalab.ru>
 Date: Wed, 11 Dec 2019 21:10:42 +0300
 Subject: [PATCH] audit: make it less verbose
 It seems, if audit itself is not installed and therefore nothing listens
 to the messages from the kernel's audit subsystem, the latter spams the
 kernel log with such messages.
 Let us make them debug-level and thus invisible by default.
 http://bugs.rosalinux.ru/show_bug.cgi?id=6235
 http://bugs.rosalinux.ru/show_bug.cgi?id=6459
 Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 ---
 kernel/audit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/kernel/audit.c b/kernel/audit.c
 index 68cee3bc8cfe..805633090ea5 100644
 --- a/kernel/audit.c
 +++ b/kernel/audit.c
@@ -535,7 +535,7 @@ static void kauditd_printk_skb(struct sk_buff *skb)
 	char *data = nlmsg_data(nlh);
 	if (nlh->nlmsg_type != AUDIT_EOE && printk_ratelimit())
 -		pr_notice("type=%d %s\n", nlh->nlmsg_type, data);
 +		pr_debug("type=%d %s\n", nlh->nlmsg_type, data);
 }
 /**
 -- 
 2.25.1
--- a/0001-crypto-support-loading-GOST-signed-kernel-modules.patch
+++ b/0001-crypto-support-loading-GOST-signed-kernel-modules.patch
@ -0,0 +1,46 @@
 From 59bf6ed4709ea82d63be300814af2c4c94503e14 Mon Sep 17 00:00:00 2001
 From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 Date: Thu, 6 Aug 2020 14:17:31 +0300
 Subject: [PATCH] crypto: support loading GOST-signed kernel modules
 Support loading kernel modules signed with:
 * 1.2.643.7.1.1.1.1 id-tc26-gost3410-12-256
 * 1.2.643.7.1.1.1.2 id-tc26-gost3410-12-512
 Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 ---
 crypto/asymmetric_keys/pkcs7_parser.c | 11 +++++++++++
 1 file changed, 11 insertions(+)
 diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
 index 967329e0a07b..39c260a04167 100644
 --- a/crypto/asymmetric_keys/pkcs7_parser.c
 +++ b/crypto/asymmetric_keys/pkcs7_parser.c
@@ -248,6 +248,12 @@ int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen,
 	case OID_sha224:
 		ctx->sinfo->sig->hash_algo = "sha224";
 		break;
 +	case OID_gost2012Digest256:
 +		ctx->sinfo->sig->hash_algo = "streebog256";
 +		break;
 +	case OID_gost2012Digest512:
 +		ctx->sinfo->sig->hash_algo = "streebog512";
 +		break;
 	default:
 		printk("Unsupported digest algo: %u\n", ctx->last_oid);
 		return -ENOPKG;
@@ -269,6 +275,11 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen,
 		ctx->sinfo->sig->pkey_algo = "rsa";
 		ctx->sinfo->sig->encoding = "pkcs1";
 		break;
 +	case OID_gost2012PKey256:
 +	case OID_gost2012PKey512:
 +		ctx->sinfo->sig->pkey_algo = "ecrdsa";
 +		ctx->sinfo->sig->encoding = "raw";
 +		break;
 	default:
 		printk("Unsupported pkey algo: %u\n", ctx->last_oid);
 		return -ENOPKG;
 -- 
 2.17.1
--- a/0001-perf-skip-xmlto-validation.patch
+++ b/0001-perf-skip-xmlto-validation.patch
@ -0,0 +1,30 @@
 From 8d376cb0241182ae4859db3aa7f790996054ae75 Mon Sep 17 00:00:00 2001
 From: Evgenii Shatokhin <eugene.shatokhin@rosalab.ru>
 Date: Wed, 11 Dec 2019 21:12:06 +0300
 Subject: [PATCH] perf: skip xmlto validation
 Perf docs are built after all the kernels. To validate the xml files
 generated during that process, xmlto tries to get DTD files from the Net.
 If it fails, the whole build fails, which is unfortunate. Let us avoid this.
 Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 ---
 tools/perf/Documentation/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/tools/perf/Documentation/Makefile b/tools/perf/Documentation/Makefile
 index 6e54979c2124..ccbc7a68769d 100644
 --- a/tools/perf/Documentation/Makefile
 +++ b/tools/perf/Documentation/Makefile
@@ -51,7 +51,7 @@ ASCIIDOC=asciidoc
 ASCIIDOC_EXTRA += --unsafe -f asciidoc.conf
 ASCIIDOC_HTML = xhtml11
 MANPAGE_XSL = manpage-normal.xsl
 -XMLTO_EXTRA =
 +XMLTO_EXTRA = --skip-validation
 INSTALL?=install
 RM ?= rm -f
 DOC_REF = origin/man
 -- 
 2.25.1
--- a/0001-sign-file-full-functionality-with-modern-LibreSSL.patch
+++ b/0001-sign-file-full-functionality-with-modern-LibreSSL.patch
@ -0,0 +1,47 @@
 From 7fac9b5a88bf45574b92cc3ad74fac32f3bacbcc Mon Sep 17 00:00:00 2001
 From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 Date: Thu, 19 Mar 2020 00:15:41 +0300
 Subject: [PATCH] sign-file: full functionality with modern LibreSSL
 Current pre-release version of LibreSSL has enabled CMS support,
 and now sign-file is fully functional with it.
 See https://github.com/libressl-portable/openbsd/commits/master
 To test buildability with LibreSSL:
 ~$ git clone https://github.com/libressl-portable/portable.git
 ~$ cd portable && ./autogen.sh
 ~$ ./configure --prefix=/opt/libressl
 ~$ make
 ~# make install
 Go to the kernel source tree and:
 ~$ gcc -I/opt/libressl/include -L /opt/libressl/lib -lcrypto -Wl,-rpath,/opt/libressl/lib scripts/sign-file.c -o scripts/sign-file
 Fixes: f8688017 ("sign-file: fix build error in sign-file.c with libressl")
 Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
 ---
 scripts/sign-file.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
 diff --git a/scripts/sign-file.c b/scripts/sign-file.c
 index fbd34b8e8f57..fd4d7c31d1bf 100644
 --- a/scripts/sign-file.c
 +++ b/scripts/sign-file.c
@@ -41,9 +41,10 @@
  * signing with anything other than SHA1 - so we're stuck with that if such is
  * the case.
  */
 -#if defined(LIBRESSL_VERSION_NUMBER) || \
 -	OPENSSL_VERSION_NUMBER < 0x10000000L || \
 -	defined(OPENSSL_NO_CMS)
 +#if defined(OPENSSL_NO_CMS) || \
 +	( defined(LIBRESSL_VERSION_NUMBER) \
 +	&& (LIBRESSL_VERSION_NUMBER < 0x3010000fL) ) || \
 +	OPENSSL_VERSION_NUMBER < 0x10000000L
 #define USE_PKCS7
 #endif
 #ifndef USE_PKCS7
 -- 
 2.20.1
--- a/audit-make-it-less-verbose.patch
+++ b/audit-make-it-less-verbose.patch
@ -1,21 +0,0 @@
 It seems, if audit itself is not installed and therefore nothing listens
 to the messages from the kernel's audit subsystem, the latter spams the
 kernel log with such messages.
 Let us make them debug-level and thus invisible by default.
 http://bugs.rosalinux.ru/show_bug.cgi?id=6235
 http://bugs.rosalinux.ru/show_bug.cgi?id=6459
 diff -Naur linux-5.9.orig/kernel/audit.c linux-5.9/kernel/audit.c
 --- linux-5.9.orig/kernel/audit.c	2020-10-17 12:03:17.445125041 +0300
 +++ linux-5.9/kernel/audit.c	2020-10-17 12:03:17.455125041 +0300
@@ -535,7 +535,7 @@
 	char *data = nlmsg_data(nlh);
 	if (nlh->nlmsg_type != AUDIT_EOE && printk_ratelimit())
 -		pr_notice("type=%d %s\n", nlh->nlmsg_type, data);
 +		pr_debug("type=%d %s\n", nlh->nlmsg_type, data);
 }
 /**
--- a/kernel-xanmod.spec
+++ b/kernel-xanmod.spec
--- a/kernel.rpmlintrc
+++ b/kernel.rpmlintrc
@ -2,36 +2,9 @@
 addFilter("E: zero-length")
 addFilter("E: incoherent-version-in-name")
 addFilter("E: unstripped-binary-or-object")
 addFilter("E: executable-sourced-script")
 addFilter("E: executable-in-library-package")
 addFilter("E: devel-dependency")
 addFilter("E: hardcoded-library-path")
 addFilter("E: useless-provides")
 addFilter("W: devel-file-in-non-devel-package")
 addFilter("W: dangling-relative-symlink")
 addFilter("W: non-executable-script")
 addFilter("W: script-without-shebang")
-
+# longer descriptions are allowed in rpm4 platforms
-addFilter("W: no-documentation")
+addFilter("E: description-line-too-long")
 addFilter("W: spurious-executable-perm")
 addFilter("W: summary-not-capitalized")
 addFilter("W: obsolete-not-provided")
 addFilter("W: non-standard-dir-in-usr")
 addFilter("W: no-major-in-name")
 addFilter("W: no-dependency-on")
 addFilter("W: name-repeated-in-summary")
 addFilter("W: unversioned-explicit-provides")
 addFilter("W: hidden-file-or-dir")
 addFilter("W: filename-too-long-for-joliet")
 addFilter("W: dangerous-command-in-%preun")
 addFilter("W: dangerous-command-in-%postun")
 addFilter("W: dangerous-command-in-%post")
--- a/linux-5.13-attribute-error.patch
+++ b/linux-5.13-attribute-error.patch
@ -1,15 +0,0 @@
 diff -up linux-5.13/tools/include/linux/compiler-gcc.h.2~ linux-5.13/tools/include/linux/compiler-gcc.h
 --- linux-5.13/tools/include/linux/compiler-gcc.h.2~	2021-06-28 00:21:11.000000000 +0200
 +++ linux-5.13/tools/include/linux/compiler-gcc.h	2021-07-09 01:09:40.704907665 +0200
@@ -16,9 +16,9 @@
 # define __fallthrough __attribute__ ((fallthrough))
 #endif
 -#if GCC_VERSION >= 40300
 +#if __has_attribute(error)
 # define __compiletime_error(message) __attribute__((error(message)))
 -#endif /* GCC_VERSION >= 40300 */
 +#endif /* __has_attribute(error) */
 /* &a[0] degrades to a pointer: a different type from an array */
 #define __must_be_array(a)	BUILD_BUG_ON_ZERO(__same_type((a), &(a)[0]))
--- a/macros.ksobirator
+++ b/macros.ksobirator
@ -0,0 +1,40 @@
 # ksobirator RPM macros
 # For now they are bundled in the kernel package,
 # in the future, after testing, ksobirator will become a separate package
 # which will be BuildRequired from kernel packages
 # TODO: define it somewhere else...
 # TODO: avoid depending from %%flavour, %%buildrel etc ?!
 # TODO: fail if needed macros are not defined
 %ksob_kernel %{kernelversion}.%{patchlevel}-%{flavour}
 # %%ksob_mk_module_pkg -n module name -s module section [ -r additional requires for this package ]
 # Examples:
 # %%ksob_mk_module_pkg -n shredder -s extra -r /usr/bin/wipe
 # %%ksob_mk_module_pkg -n shredder -s extra
 %ksob_mk_module_pkg(n:s:r:) \
 \
 %define module_name        %{-n:%{-n*}}%{!-n:%{error:Module name not defined!}} \
 %define pkg_main kernel-module-%{module_name}-%{ksob_kernel} \
 %define module_section     %{-s:%{-s*}}%{!-s:%{error:Module section (e.g. extra) not defined!}} \
 \
 %{expand: \
 %package -n %{pkg_main} \
 # TODO: convert long kernel name to one macro \
 Summary: Binary module %{module_name} for kernel-%{ksob_kernel} \
 Group: System/Kernel and hardware \
 \
 %{-r:Requires: %{-r*}} \
 Requires: %{name}%{_isa} = %{EVRD} \
 Provides: installonlypkg(kernel-module) = %{EVRD}.module.%{module_name} \
 Obsoletes: kernel-module-%{module_name}-%{flavour}-%{kernelversion}.%{patchlevel}-latest < 5.10.34-2 \
 \
 %description -n %{pkg_main} \
 Binary module %{module_name} for kernel-%{ksob_kernel} \
 \
 %files -n %{pkg_main} \
 # XXX TODO: how to %%exclude these files from the main package automatically? \
 %{_modulesdir}/%{kver_full}/kernel/%{module_section}/%{module_name}.ko%{kmod_suffix} \
 \
 %{nil} \
 }
--- a/perf-xmlto-skip-validation.patch
+++ b/perf-xmlto-skip-validation.patch
@ -1,12 +0,0 @@
 diff -Naur linux-5.9.orig/tools/perf/Documentation/Makefile linux-5.9/tools/perf/Documentation/Makefile
 --- linux-5.9.orig/tools/perf/Documentation/Makefile	2020-10-17 12:00:45.497122395 +0300
 +++ linux-5.9/tools/perf/Documentation/Makefile	2020-10-17 12:00:47.205122425 +0300
@@ -51,7 +51,7 @@
 ASCIIDOC_EXTRA += --unsafe -f asciidoc.conf
 ASCIIDOC_HTML = xhtml11
 MANPAGE_XSL = manpage-normal.xsl
 -XMLTO_EXTRA =
 +XMLTO_EXTRA = --skip-validation
 INSTALL?=install
 RM ?= rm -f
 DOC_REF = origin/man
--- a/xanmod-futex2-error-avoid.patch
+++ b/xanmod-futex2-error-avoid.patch
@ -1,13 +0,0 @@
 diff --git a/tools/perf/bench/futex.h b/tools/perf/bench/futex.h
 index 915bf3da7ce2..6e62e7708fde 100644
 --- a/tools/perf/bench/futex.h
 +++ b/tools/perf/bench/futex.h
@@ -11,7 +11,7 @@
 #include <unistd.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
 -#include <linux/futex.h>
 +#include "../../include/uapi/linux/futex.h"
 /**
  * futex() - SYS_futex syscall wrapper