kernel-5.12.9-0
* Thu Jun 03 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.9-0] - selinux: Allow context mounts for unpriviliged overlayfs (Vivek Goyal) Resolves: rhbz# Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
This commit is contained in:
parent
9e0d342e20
commit
39ee1d7ded
|
@ -1,3 +1,6 @@
|
|||
https://gitlab.com/cki-project/kernel-ark/-/commit/26fb1eba374faf7704bab5126612ae87b9f9f9fa
|
||||
26fb1eba374faf7704bab5126612ae87b9f9f9fa selinux: Allow context mounts for unpriviliged overlayfs
|
||||
|
||||
https://gitlab.com/cki-project/kernel-ark/-/commit/b8c43c4d0bdf8d9f4210e9f3263771c9f76d12bc
|
||||
b8c43c4d0bdf8d9f4210e9f3263771c9f76d12bc Fix up merge issue resulting in dual entries for ALC295_FIXUP_ASUS_DACS
|
||||
|
||||
|
|
11
kernel.spec
11
kernel.spec
|
@ -106,7 +106,7 @@ Summary: The Linux kernel
|
|||
%define primary_target rhel
|
||||
%endif
|
||||
|
||||
%define rpmversion 5.12.8
|
||||
%define rpmversion 5.12.9
|
||||
%define stableversion 5.12
|
||||
%define pkgrelease 200
|
||||
|
||||
|
@ -623,7 +623,7 @@ BuildRequires: clang
|
|||
# exact git commit you can run
|
||||
#
|
||||
# xzcat -qq ${TARBALL} | git get-tar-commit-id
|
||||
Source0: linux-5.12.8.tar.xz
|
||||
Source0: linux-5.12.9.tar.xz
|
||||
|
||||
Source1: Makefile.rhelver
|
||||
|
||||
|
@ -1277,8 +1277,8 @@ ApplyOptionalPatch()
|
|||
fi
|
||||
}
|
||||
|
||||
%setup -q -n kernel-5.12.8 -c
|
||||
mv linux-5.12.8 linux-%{KVERREL}
|
||||
%setup -q -n kernel-5.12.9 -c
|
||||
mv linux-5.12.9 linux-%{KVERREL}
|
||||
|
||||
cd linux-%{KVERREL}
|
||||
cp -a %{SOURCE1} .
|
||||
|
@ -2792,6 +2792,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu Jun 03 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.9-0]
|
||||
- selinux: Allow context mounts for unpriviliged overlayfs (Vivek Goyal)
|
||||
|
||||
* Wed May 26 2021 Justin M. Forbes <jforbes@fedoraproject.org> [5.12.7-0]
|
||||
- Fix up merge issue resulting in dual entries for ALC295_FIXUP_ASUS_DACS (Justin M. Forbes)
|
||||
- powerpc/64s/syscall: Fix ptrace syscall info with scv syscalls (Nicholas Piggin)
|
||||
|
|
|
@ -35,12 +35,12 @@
|
|||
include/linux/security.h | 5 +
|
||||
kernel/crash_core.c | 28 ++++-
|
||||
kernel/module_signing.c | 9 +-
|
||||
net/can/isotp.c | 49 +++++---
|
||||
security/integrity/platform_certs/load_uefi.c | 6 +-
|
||||
security/lockdown/Kconfig | 13 +++
|
||||
security/lockdown/lockdown.c | 1 +
|
||||
security/security.c | 6 +
|
||||
42 files changed, 652 insertions(+), 193 deletions(-)
|
||||
security/selinux/hooks.c | 3 +-
|
||||
42 files changed, 621 insertions(+), 178 deletions(-)
|
||||
|
||||
diff --git a/Documentation/admin-guide/kdump/kdump.rst b/Documentation/admin-guide/kdump/kdump.rst
|
||||
index 75a9dd98e76e..3ff3291551f9 100644
|
||||
|
@ -65,7 +65,7 @@ index 75a9dd98e76e..3ff3291551f9 100644
|
|||
|
||||
Boot into System Kernel
|
||||
diff --git a/Makefile b/Makefile
|
||||
index a20afcb7d2bf..a19908237e8a 100644
|
||||
index d53577db1085..a34665269a9a 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -495,6 +495,7 @@ KBUILD_AFLAGS := -D__ASSEMBLY__ -fno-PIE
|
||||
|
@ -1468,95 +1468,6 @@ index 8723ae70ea1f..fb2d773498c2 100644
|
|||
+ }
|
||||
+ return ret;
|
||||
}
|
||||
diff --git a/net/can/isotp.c b/net/can/isotp.c
|
||||
index 9f94ad3caee9..253b24417c8e 100644
|
||||
--- a/net/can/isotp.c
|
||||
+++ b/net/can/isotp.c
|
||||
@@ -1062,27 +1062,31 @@ static int isotp_bind(struct socket *sock, struct sockaddr *uaddr, int len)
|
||||
if (len < ISOTP_MIN_NAMELEN)
|
||||
return -EINVAL;
|
||||
|
||||
+ if (addr->can_addr.tp.tx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG))
|
||||
+ return -EADDRNOTAVAIL;
|
||||
+
|
||||
+ if (!addr->can_ifindex)
|
||||
+ return -ENODEV;
|
||||
+
|
||||
+ lock_sock(sk);
|
||||
+
|
||||
/* do not register frame reception for functional addressing */
|
||||
if (so->opt.flags & CAN_ISOTP_SF_BROADCAST)
|
||||
do_rx_reg = 0;
|
||||
|
||||
/* do not validate rx address for functional addressing */
|
||||
if (do_rx_reg) {
|
||||
- if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id)
|
||||
- return -EADDRNOTAVAIL;
|
||||
+ if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id) {
|
||||
+ err = -EADDRNOTAVAIL;
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
- if (addr->can_addr.tp.rx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG))
|
||||
- return -EADDRNOTAVAIL;
|
||||
+ if (addr->can_addr.tp.rx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) {
|
||||
+ err = -EADDRNOTAVAIL;
|
||||
+ goto out;
|
||||
+ }
|
||||
}
|
||||
|
||||
- if (addr->can_addr.tp.tx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG))
|
||||
- return -EADDRNOTAVAIL;
|
||||
-
|
||||
- if (!addr->can_ifindex)
|
||||
- return -ENODEV;
|
||||
-
|
||||
- lock_sock(sk);
|
||||
-
|
||||
if (so->bound && addr->can_ifindex == so->ifindex &&
|
||||
addr->can_addr.tp.rx_id == so->rxid &&
|
||||
addr->can_addr.tp.tx_id == so->txid)
|
||||
@@ -1164,16 +1168,13 @@ static int isotp_getname(struct socket *sock, struct sockaddr *uaddr, int peer)
|
||||
return ISOTP_MIN_NAMELEN;
|
||||
}
|
||||
|
||||
-static int isotp_setsockopt(struct socket *sock, int level, int optname,
|
||||
+static int isotp_setsockopt_locked(struct socket *sock, int level, int optname,
|
||||
sockptr_t optval, unsigned int optlen)
|
||||
{
|
||||
struct sock *sk = sock->sk;
|
||||
struct isotp_sock *so = isotp_sk(sk);
|
||||
int ret = 0;
|
||||
|
||||
- if (level != SOL_CAN_ISOTP)
|
||||
- return -EINVAL;
|
||||
-
|
||||
if (so->bound)
|
||||
return -EISCONN;
|
||||
|
||||
@@ -1248,6 +1249,22 @@ static int isotp_setsockopt(struct socket *sock, int level, int optname,
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static int isotp_setsockopt(struct socket *sock, int level, int optname,
|
||||
+ sockptr_t optval, unsigned int optlen)
|
||||
+
|
||||
+{
|
||||
+ struct sock *sk = sock->sk;
|
||||
+ int ret;
|
||||
+
|
||||
+ if (level != SOL_CAN_ISOTP)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ lock_sock(sk);
|
||||
+ ret = isotp_setsockopt_locked(sock, level, optname, optval, optlen);
|
||||
+ release_sock(sk);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static int isotp_getsockopt(struct socket *sock, int level, int optname,
|
||||
char __user *optval, int __user *optlen)
|
||||
{
|
||||
diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
|
||||
index ee4b4c666854..eff9ff593405 100644
|
||||
--- a/security/integrity/platform_certs/load_uefi.c
|
||||
|
@ -1634,3 +1545,17 @@ index 5ac96b16f8fa..fc47d6de57ee 100644
|
|||
#ifdef CONFIG_PERF_EVENTS
|
||||
int security_perf_event_open(struct perf_event_attr *attr, int type)
|
||||
{
|
||||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
||||
index ddd097790d47..eca9fc0ba764 100644
|
||||
--- a/security/selinux/hooks.c
|
||||
+++ b/security/selinux/hooks.c
|
||||
@@ -760,7 +760,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
|
||||
if (sb->s_user_ns != &init_user_ns &&
|
||||
strcmp(sb->s_type->name, "tmpfs") &&
|
||||
strcmp(sb->s_type->name, "ramfs") &&
|
||||
- strcmp(sb->s_type->name, "devpts")) {
|
||||
+ strcmp(sb->s_type->name, "devpts") &&
|
||||
+ strcmp(sb->s_type->name, "overlay")) {
|
||||
if (context_sid || fscontext_sid || rootcontext_sid ||
|
||||
defcontext_sid) {
|
||||
rc = -EACCES;
|
||||
|
|
6
sources
6
sources
|
@ -1,3 +1,3 @@
|
|||
SHA512 (linux-5.12.8.tar.xz) = 4af33ce63a4ce89205808bad9e84b72197ed9976d10fa8287d5690f2524cc51e542814399de08944dcb2cc2b8c708f449ed3888e10f98704d551d6ecd2236797
|
||||
SHA512 (kernel-abi-whitelists-5.12.8-200.tar.bz2) = 9140d492c44be9792d8defeef792e1879ece865b4df7d7fcf6ed4d76bacb4ad3afa4d68b0a517919d25176e13edbe9847568aaf9501de8b9bebf423a44e09e05
|
||||
SHA512 (kernel-kabi-dw-5.12.8-200.tar.bz2) = 59c9fab14bc3126224cc133ebfaac627ce849d4a8713b1c618dc6cdbcc8a8ebd2c28b2d6959fda340ae9630c91bd8a107c11ac0b02da887fda0b4cf52a3397e9
|
||||
SHA512 (linux-5.12.9.tar.xz) = 1c5e212aa17115c60cc73cd2f5736cfddd5f8d70f4196e261e3bf8ec30deeb22a0b8d6c22148333b14f74b81ee29307e7ed5a090d78abf8492e7bcf62bd75327
|
||||
SHA512 (kernel-abi-whitelists-5.12.9-200.tar.bz2) = 0cc71e2a2eaa9b2374f5a591418d2ddd3079ce27b559177572674408e1f24d0fbf4d7978e36fa955de8e4220c1582613ffd8fb4162da8ccc70338e4e3eeab648
|
||||
SHA512 (kernel-kabi-dw-5.12.9-200.tar.bz2) = 0bddc7298acd32944bdb20fbef0015b4c5559b8054779ec8d04b2fdf3747e1975755e4716dc2536f1de931aa1d4e05447d4a15ec20c3db58500af8aaaeeece65
|
||||
|
|
Loading…
Reference in New Issue