kernel-5.12.9-0

* Thu Jun 03 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.9-0] - selinux: Allow context mounts for unpriviliged overlayfs (Vivek Goyal) Resolves: rhbz# Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
2021-06-03 08:34:54 -05:00 · 2021-06-03 08:34:54 -05:00 · 39ee1d7ded
parent 9e0d342e20
commit 39ee1d7ded
4 changed files with 30 additions and 99 deletions
--- a/Patchlist.changelog
+++ b/Patchlist.changelog
@ -1,3 +1,6 @@
+https://gitlab.com/cki-project/kernel-ark/-/commit/26fb1eba374faf7704bab5126612ae87b9f9f9fa
+ 26fb1eba374faf7704bab5126612ae87b9f9f9fa selinux: Allow context mounts for unpriviliged overlayfs
+
 https://gitlab.com/cki-project/kernel-ark/-/commit/b8c43c4d0bdf8d9f4210e9f3263771c9f76d12bc
 b8c43c4d0bdf8d9f4210e9f3263771c9f76d12bc Fix up merge issue resulting in dual entries for ALC295_FIXUP_ASUS_DACS

--- a/kernel.spec
+++ b/kernel.spec
@ -106,7 +106,7 @@ Summary: The Linux kernel
 %define primary_target rhel
 %endif

-%define rpmversion 5.12.8
+%define rpmversion 5.12.9
 %define stableversion 5.12
 %define pkgrelease 200

@ -623,7 +623,7 @@ BuildRequires: clang
 # exact git commit you can run
 #
 # xzcat -qq ${TARBALL} | git get-tar-commit-id
-Source0: linux-5.12.8.tar.xz
+Source0: linux-5.12.9.tar.xz

 Source1: Makefile.rhelver

@ -1277,8 +1277,8 @@ ApplyOptionalPatch()
  fi
 }

-%setup -q -n kernel-5.12.8 -c
-mv linux-5.12.8 linux-%{KVERREL}
+%setup -q -n kernel-5.12.9 -c
+mv linux-5.12.9 linux-%{KVERREL}

 cd linux-%{KVERREL}
 cp -a %{SOURCE1} .
@ -2792,6 +2792,9 @@ fi
 #
 #
 %changelog
+* Thu Jun 03 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.9-0]
+- selinux: Allow context mounts for unpriviliged overlayfs (Vivek Goyal)
+
 * Wed May 26 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.7-0]
 - Fix up merge issue resulting in dual entries for ALC295_FIXUP_ASUS_DACS (Justin M. Forbes)
 - powerpc/64s/syscall: Fix ptrace syscall info with scv syscalls (Nicholas Piggin)
--- a/patch-5.12-redhat.patch
+++ b/patch-5.12-redhat.patch
@ -35,12 +35,12 @@
 include/linux/security.h                           |   5 +
 kernel/crash_core.c                                |  28 ++++-
 kernel/module_signing.c                            |   9 +-
- net/can/isotp.c                                    |  49 +++++---
 security/integrity/platform_certs/load_uefi.c      |   6 +-
 security/lockdown/Kconfig                          |  13 +++
 security/lockdown/lockdown.c                       |   1 +
 security/security.c                                |   6 +
- 42 files changed, 652 insertions(+), 193 deletions(-)
+ security/selinux/hooks.c                           |   3 +-
+ 42 files changed, 621 insertions(+), 178 deletions(-)

 diff --git a/Documentation/admin-guide/kdump/kdump.rst b/Documentation/admin-guide/kdump/kdump.rst
 index 75a9dd98e76e..3ff3291551f9 100644
@ -65,7 +65,7 @@ index 75a9dd98e76e..3ff3291551f9 100644

 Boot into System Kernel
 diff --git a/Makefile b/Makefile
-index a20afcb7d2bf..a19908237e8a 100644
+index d53577db1085..a34665269a9a 100644
 --- a/Makefile
 +++ b/Makefile
@@ -495,6 +495,7 @@ KBUILD_AFLAGS   := -D__ASSEMBLY__ -fno-PIE
@ -1468,95 +1468,6 @@ index 8723ae70ea1f..fb2d773498c2 100644
 +	}
 +	return ret;
 }
-diff --git a/net/can/isotp.c b/net/can/isotp.c
-index 9f94ad3caee9..253b24417c8e 100644
--- a/net/can/isotp.c
-+++ b/net/can/isotp.c
-@@ -1062,27 +1062,31 @@ static int isotp_bind(struct socket *sock, struct sockaddr *uaddr, int len)
- 	if (len < ISOTP_MIN_NAMELEN)
- 		return -EINVAL;
-
-+	if (addr->can_addr.tp.tx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG))
-+		return -EADDRNOTAVAIL;
-+
-+	if (!addr->can_ifindex)
-+		return -ENODEV;
-+
-+	lock_sock(sk);
-+
- 	/* do not register frame reception for functional addressing */
- 	if (so->opt.flags & CAN_ISOTP_SF_BROADCAST)
- 		do_rx_reg = 0;
-
- 	/* do not validate rx address for functional addressing */
- 	if (do_rx_reg) {
-		if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id)
-			return -EADDRNOTAVAIL;
-+		if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id) {
-+			err = -EADDRNOTAVAIL;
-+			goto out;
-+		}
-
-		if (addr->can_addr.tp.rx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG))
-			return -EADDRNOTAVAIL;
-+		if (addr->can_addr.tp.rx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) {
-+			err = -EADDRNOTAVAIL;
-+			goto out;
-+		}
- 	}
-
-	if (addr->can_addr.tp.tx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG))
-		return -EADDRNOTAVAIL;
-
-	if (!addr->can_ifindex)
-		return -ENODEV;
-
-	lock_sock(sk);
-
- 	if (so->bound && addr->can_ifindex == so->ifindex &&
- 	    addr->can_addr.tp.rx_id == so->rxid &&
- 	    addr->can_addr.tp.tx_id == so->txid)
-@@ -1164,16 +1168,13 @@ static int isotp_getname(struct socket *sock, struct sockaddr *uaddr, int peer)
- 	return ISOTP_MIN_NAMELEN;
- }
-
-static int isotp_setsockopt(struct socket *sock, int level, int optname,
-+static int isotp_setsockopt_locked(struct socket *sock, int level, int optname,
- 			    sockptr_t optval, unsigned int optlen)
- {
- 	struct sock *sk = sock->sk;
- 	struct isotp_sock *so = isotp_sk(sk);
- 	int ret = 0;
-
-	if (level != SOL_CAN_ISOTP)
-		return -EINVAL;
-
- 	if (so->bound)
- 		return -EISCONN;
-
-@@ -1248,6 +1249,22 @@ static int isotp_setsockopt(struct socket *sock, int level, int optname,
- 	return ret;
- }
-
-+static int isotp_setsockopt(struct socket *sock, int level, int optname,
-+			    sockptr_t optval, unsigned int optlen)
-+
-+{
-+	struct sock *sk = sock->sk;
-+	int ret;
-+
-+	if (level != SOL_CAN_ISOTP)
-+		return -EINVAL;
-+
-+	lock_sock(sk);
-+	ret = isotp_setsockopt_locked(sock, level, optname, optval, optlen);
-+	release_sock(sk);
-+	return ret;
-+}
-+
- static int isotp_getsockopt(struct socket *sock, int level, int optname,
- 			    char __user *optval, int __user *optlen)
- {
 diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
 index ee4b4c666854..eff9ff593405 100644
 --- a/security/integrity/platform_certs/load_uefi.c
@ -1634,3 +1545,17 @@ index 5ac96b16f8fa..fc47d6de57ee 100644
 #ifdef CONFIG_PERF_EVENTS
 int security_perf_event_open(struct perf_event_attr *attr, int type)
 {
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index ddd097790d47..eca9fc0ba764 100644
+--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
+@@ -760,7 +760,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
+ 	if (sb->s_user_ns != &init_user_ns &&
+ 	    strcmp(sb->s_type->name, "tmpfs") &&
+ 	    strcmp(sb->s_type->name, "ramfs") &&
+-	    strcmp(sb->s_type->name, "devpts")) {
+	    strcmp(sb->s_type->name, "devpts") &&
+	    strcmp(sb->s_type->name, "overlay")) {
+ 		if (context_sid || fscontext_sid || rootcontext_sid ||
+ 		    defcontext_sid) {
+ 			rc = -EACCES;
--- a/6
+++ b/6
@ -1,3 +1,3 @@
-SHA512 (linux-5.12.8.tar.xz) = 4af33ce63a4ce89205808bad9e84b72197ed9976d10fa8287d5690f2524cc51e542814399de08944dcb2cc2b8c708f449ed3888e10f98704d551d6ecd2236797
-SHA512 (kernel-abi-whitelists-5.12.8-200.tar.bz2) = 9140d492c44be9792d8defeef792e1879ece865b4df7d7fcf6ed4d76bacb4ad3afa4d68b0a517919d25176e13edbe9847568aaf9501de8b9bebf423a44e09e05
-SHA512 (kernel-kabi-dw-5.12.8-200.tar.bz2) = 59c9fab14bc3126224cc133ebfaac627ce849d4a8713b1c618dc6cdbcc8a8ebd2c28b2d6959fda340ae9630c91bd8a107c11ac0b02da887fda0b4cf52a3397e9
+SHA512 (linux-5.12.9.tar.xz) = 1c5e212aa17115c60cc73cd2f5736cfddd5f8d70f4196e261e3bf8ec30deeb22a0b8d6c22148333b14f74b81ee29307e7ed5a090d78abf8492e7bcf62bd75327
+SHA512 (kernel-abi-whitelists-5.12.9-200.tar.bz2) = 0cc71e2a2eaa9b2374f5a591418d2ddd3079ce27b559177572674408e1f24d0fbf4d7978e36fa955de8e4220c1582613ffd8fb4162da8ccc70338e4e3eeab648
+SHA512 (kernel-kabi-dw-5.12.9-200.tar.bz2) = 0bddc7298acd32944bdb20fbef0015b4c5559b8054779ec8d04b2fdf3747e1975755e4716dc2536f1de931aa1d4e05447d4a15ec20c3db58500af8aaaeeece65