Linux v3.14-12042-g69cd9eba3886

2014-04-10 09:38:28 -04:00 · 2014-04-10 09:38:28 -04:00 · 700baa35a6
commit 700baa35a6
parent c8c935eaa3
15 changed files with 249 additions and 421 deletions
--- a/secure-modules.patch
+++ b/secure-modules.patch
@ -1,7 +1,7 @@
 Bugzilla: N/A
 Upstream-status: Fedora mustard.  Replaced by securelevels, but that was nak'd

-From b0466e5c5483957f8ca30b8f1bcf60bbad9d40aa Mon Sep 17 00:00:00 2001
+From 0f81a4461431941c17ff26fd3d5e284ede4a368a Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 17:58:15 -0400
 Subject: [PATCH 01/14] Add secure_modules() call
@ -17,10 +17,10 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
 2 files changed, 17 insertions(+)

 diff --git a/include/linux/module.h b/include/linux/module.h
-index eaf60ff9ba94..5ab9d81e3b96 100644
+index f520a767c86c..fc9b54eb779e 100644
 --- a/include/linux/module.h
 +++ b/include/linux/module.h
-@@ -512,6 +512,8 @@ int unregister_module_notifier(struct notifier_block *nb);
+@@ -509,6 +509,8 @@ int unregister_module_notifier(struct notifier_block *nb);
 
 extern void print_modules(void);
 
@ -29,7 +29,7 @@ index eaf60ff9ba94..5ab9d81e3b96 100644
 #else /* !CONFIG_MODULES... */
 
 /* Given an address, look for it in the exception tables. */
-@@ -622,6 +624,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb)
+@@ -619,6 +621,11 @@ static inline int unregister_module_notifier(struct notifier_block *nb)
 static inline void print_modules(void)
 {
 }
@ -42,10 +42,10 @@ index eaf60ff9ba94..5ab9d81e3b96 100644
 
 #ifdef CONFIG_SYSFS
 diff --git a/kernel/module.c b/kernel/module.c
-index 8dc7f5e80dd8..62f9b72bf85e 100644
+index 11869408f79b..2b9204fe055f 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -3833,3 +3833,13 @@ void module_layout(struct module *mod,
+@@ -3835,3 +3835,13 @@ void module_layout(struct module *mod,
 }
 EXPORT_SYMBOL(module_layout);
 #endif
@ -63,7 +63,7 @@ index 8dc7f5e80dd8..62f9b72bf85e 100644
 1.8.5.3


-From 3df1daaa8cd3c8450fd8fda62ff4836eddbf0f09 Mon Sep 17 00:00:00 2001
+From 806c4ee0e6484b529b88b3d0ceb49f6edf96ae11 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:10:38 -0500
 Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is
@ -182,7 +182,7 @@ index 24750a1b39b6..fa57896b97dd 100644
 1.8.5.3


-From c14a3599cdf71ccd6ea47e8b404412b8e7a5c1b3 Mon Sep 17 00:00:00 2001
+From 16ee82e2add8684e374451e6ba34be3ee41e4ef1 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Thu, 8 Mar 2012 10:35:59 -0500
 Subject: [PATCH 03/14] x86: Lock down IO port access when module security is
@ -255,7 +255,7 @@ index 917403fe10da..cdf839f9defe 100644
 1.8.5.3


-From ccbc02eee179074b13acc2d7dfd17835726a579a Mon Sep 17 00:00:00 2001
+From 2fd4b35393b19cde87e4770d3b85d12760e72f6a Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:39:37 -0500
 Subject: [PATCH 04/14] ACPI: Limit access to custom_method
@ -287,7 +287,7 @@ index c68e72414a67..4277938af700 100644
 1.8.5.3


-From b40f05f5ec470bc59f41ca7ce66ea09614db60ea Mon Sep 17 00:00:00 2001
+From 543d64276237adb782ec30a5dab67d0b21afc1d4 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 08:46:50 -0500
 Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module
@ -342,7 +342,7 @@ index c5e082fb82fa..03c57fc8de8a 100644
 1.8.5.3


-From bfa6f400f5e0f98772f3c77b60d8ac3d39b080a8 Mon Sep 17 00:00:00 2001
+From 6e2fec5547b597c43ca72e34729b8a402660a7c1 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Mar 2012 09:28:15 -0500
 Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is
@ -385,7 +385,7 @@ index cdf839f9defe..c63cf93b00eb 100644
 1.8.5.3


-From e399403d8b74cbbb23ead4e43b70b4d82ee00402 Mon Sep 17 00:00:00 2001
+From 358cea0a54f726fa61839b411f3f54284d4588bf Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Mon, 25 Jun 2012 19:57:30 -0400
 Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module
@ -401,7 +401,7 @@ Signed-off-by: Josh Boyer <jwboyer@redhat.com>
 1 file changed, 2 insertions(+), 1 deletion(-)

 diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 27f84af4e337..bd3ac0947890 100644
+index f7fd72ac69cf..ccdae1c8c386 100644
 --- a/drivers/acpi/osl.c
 +++ b/drivers/acpi/osl.c
@@ -44,6 +44,7 @@
@ -425,7 +425,7 @@ index 27f84af4e337..bd3ac0947890 100644
 1.8.5.3


-From 686268dea5fa802409d99f964005bc57d62f6b04 Mon Sep 17 00:00:00 2001
+From 89751b3ad4dea7cf5b806cd14126dd70657a9148 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 03:33:56 -0400
 Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module
@ -441,18 +441,18 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
 1 file changed, 8 insertions(+)

 diff --git a/kernel/kexec.c b/kernel/kexec.c
-index 45601cf41bee..d5819bb45bec 100644
+index c8380ad203bc..e6eb239f567a 100644
 --- a/kernel/kexec.c
 +++ b/kernel/kexec.c
-@@ -32,6 +32,7 @@
- #include <linux/vmalloc.h>
+@@ -33,6 +33,7 @@
 #include <linux/swap.h>
 #include <linux/syscore_ops.h>
+ #include <linux/compiler.h>
 +#include <linux/module.h>
 
 #include <asm/page.h>
 #include <asm/uaccess.h>
-@@ -947,6 +948,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
+@@ -948,6 +949,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments,
 		return -EPERM;
 
 	/*
@ -470,7 +470,7 @@ index 45601cf41bee..d5819bb45bec 100644
 1.8.5.3


-From 4a1068eb94b99cab1d31a8a87eea9aafb39bcea0 Mon Sep 17 00:00:00 2001
+From 31174421a7103571a1c3faf7ba27d4045e5fbc18 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Tue, 3 Sep 2013 11:23:29 -0400
 Subject: [PATCH 09/14] uswsusp: Disable when module loading is restricted
@ -510,7 +510,7 @@ index 98d357584cd6..efe99dee9510 100644
 1.8.5.3


-From 569d0384d6846dae76910d5104666f11597a6a78 Mon Sep 17 00:00:00 2001
+From ea5cf8801db979fa7d5f90ab3faf72eb22490f9b Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 8 Feb 2013 11:12:13 -0800
 Subject: [PATCH 10/14] x86: Restrict MSR access when module loading is
@ -527,7 +527,7 @@ Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
 1 file changed, 7 insertions(+)

 diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
-index 05266b5aae22..e2bd647f676e 100644
+index c9603ac80de5..8bef43fc3f40 100644
 --- a/arch/x86/kernel/msr.c
 +++ b/arch/x86/kernel/msr.c
@@ -103,6 +103,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
@ -555,7 +555,7 @@ index 05266b5aae22..e2bd647f676e 100644
 1.8.5.3


-From bca29272512c8646bf2feaf304a0eceb05c0d0c0 Mon Sep 17 00:00:00 2001
+From 2985684ff78972bde7ebf1e295b52afd9bea29e0 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <matthew.garrett@nebula.com>
 Date: Fri, 9 Aug 2013 18:36:30 -0400
 Subject: [PATCH 11/14] Add option to automatically enforce module signatures
@ -591,10 +591,10 @@ index 199f453cb4de..ec38acf00b40 100644
 290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
 2D0/A00	ALL	e820_map	E820 memory map table
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 26237934ac87..e27b78bcca34 100644
+index 5b8ec0f53b57..085d5eb36361 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1597,6 +1597,16 @@ config EFI_MIXED
+@@ -1534,6 +1534,16 @@ config EFI_MIXED
 
 	   If unsure, say N.
 
@ -687,10 +687,10 @@ index 225b0988043a..90dbfb73e11f 100644
 	 * The sentinel is set to a nonzero value (0xff) in header.S.
 	 *
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index fa511acff7e6..aa227f68687c 100644
+index 09c76d265550..5a61d732fd5c 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1143,6 +1143,12 @@ void __init setup_arch(char **cmdline_p)
+@@ -1142,6 +1142,12 @@ void __init setup_arch(char **cmdline_p)
 
 	io_delay_init();
 
@ -704,10 +704,10 @@ index fa511acff7e6..aa227f68687c 100644
 	 * Parse the ACPI tables for possible boot-time SMP configuration.
 	 */
 diff --git a/include/linux/module.h b/include/linux/module.h
-index 5ab9d81e3b96..83144dd56ff0 100644
+index fc9b54eb779e..7377bc851461 100644
 --- a/include/linux/module.h
 +++ b/include/linux/module.h
-@@ -191,6 +191,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
+@@ -188,6 +188,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add);
 
 struct notifier_block;
 
@ -721,10 +721,10 @@ index 5ab9d81e3b96..83144dd56ff0 100644
 
 extern int modules_disabled; /* for sysctl */
 diff --git a/kernel/module.c b/kernel/module.c
-index 62f9b72bf85e..dcfb07ae5e4e 100644
+index 2b9204fe055f..2b8cc2d57c16 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
-@@ -3834,6 +3834,13 @@ void module_layout(struct module *mod,
+@@ -3836,6 +3836,13 @@ void module_layout(struct module *mod,
 EXPORT_SYMBOL(module_layout);
 #endif
 
@ -742,7 +742,7 @@ index 62f9b72bf85e..dcfb07ae5e4e 100644
 1.8.5.3


-From 67ff850d16232e30c39109d29510d2a4aef34de9 Mon Sep 17 00:00:00 2001
+From b2e4ea728ccab2befbd5fe1bd834881a7dd8f34b Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Tue, 5 Feb 2013 19:25:05 -0500
 Subject: [PATCH 12/14] efi: Disable secure boot if shim is in insecure mode
@ -801,7 +801,7 @@ index b00745ff398a..bf42cc5f083d 100644
 1.8.5.3


-From 53645ba848224ee81978b17c5e5328dca798466f Mon Sep 17 00:00:00 2001
+From fb418c682d01c447d30b5591a591fdbf33b1334e Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:28:43 -0400
 Subject: [PATCH 13/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
@ -815,10 +815,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 1 file changed, 2 insertions(+), 1 deletion(-)

 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index e27b78bcca34..dfd068b32cdc 100644
+index 085d5eb36361..3e8d398a976d 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1598,7 +1598,8 @@ config EFI_MIXED
+@@ -1535,7 +1535,8 @@ config EFI_MIXED
 	   If unsure, say N.
 
 config EFI_SECURE_BOOT_SIG_ENFORCE
@ -832,7 +832,7 @@ index e27b78bcca34..dfd068b32cdc 100644
 1.8.5.3


-From e5b7eaf1b5d04ec739464b6e2df21c666d060c69 Mon Sep 17 00:00:00 2001
+From 87bf357dd4589cfca043ec4b641b912a088b1234 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Tue, 27 Aug 2013 13:33:03 -0400
 Subject: [PATCH 14/14] efi: Add EFI_SECURE_BOOT bit
@ -847,10 +847,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 2 files changed, 3 insertions(+)

 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index aa227f68687c..c7cf7919b3c4 100644
+index 5a61d732fd5c..23fe9bf3c401 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -1145,7 +1145,9 @@ void __init setup_arch(char **cmdline_p)
+@@ -1144,7 +1144,9 @@ void __init setup_arch(char **cmdline_p)
 
 #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
 	if (boot_params.secure_boot) {