Linux v5.0-7001-g610cd4eadec4

2019-03-08 16:38:03 +00:00 · 2019-03-08 16:38:03 +00:00 · 6c72c6753e
parent ece6441001
commit 6c72c6753e
20 changed files with 240 additions and 293 deletions
--- a/configs/fedora/generic/CONFIG_LSM
+++ b/configs/fedora/generic/CONFIG_LSM
@ -0,0 +1 @@
 CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
--- a/configs/fedora/generic/CONFIG_SECURITY_SAFESETID
+++ b/configs/fedora/generic/CONFIG_SECURITY_SAFESETID
@ -0,0 +1 @@
 # CONFIG_SECURITY_SAFESETID is not set
--- a/efi-lockdown.patch
+++ b/efi-lockdown.patch
@ -1,7 +1,7 @@
-From 73958cc1f78cfc69f3b1ec26a3406b3c45f6d202 Mon Sep 17 00:00:00 2001
+From e8b9c4420c929255708e0bff42142de49ff1971b Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Mon, 9 Apr 2018 09:52:45 +0100
-Subject: [PATCH 01/24] Add the ability to lock down access to the running
+Subject: [PATCH 01/22] Add the ability to lock down access to the running
 kernel image
 Provide a single call to allow kernel code to determine whether the system
@ -43,18 +43,18 @@ primarily applies to ISA hardware devices.
 Signed-off-by: David Howells <dhowells@redhat.com>
 ---
 arch/x86/kernel/setup.c |  2 ++
- include/linux/kernel.h  | 32 ++++++++++++++++++++++++
+ include/linux/kernel.h  | 32 ++++++++++++++++++++
- security/Kconfig        | 23 ++++++++++++++++-
+ security/Kconfig        | 23 ++++++++++++++-
- security/Makefile       |  3 +++
+ security/Makefile       |  3 ++
- security/lock_down.c    | 65 +++++++++++++++++++++++++++++++++++++++++++++++++
+ security/lock_down.c    | 65 +++++++++++++++++++++++++++++++++++++++++
 5 files changed, 124 insertions(+), 1 deletion(-)
 create mode 100644 security/lock_down.c
 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
-index 6285697b6e56..566f0f447053 100644
+index 3d872a527cd9..cf2f3df1b8d7 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
-@@ -996,6 +996,8 @@ void __init setup_arch(char **cmdline_p)
+@@ -1005,6 +1005,8 @@ void __init setup_arch(char **cmdline_p)
 	if (efi_enabled(EFI_BOOT))
 		efi_init();
@ -64,10 +64,10 @@ index 6285697b6e56..566f0f447053 100644
 	dmi_memdev_walk();
 	dmi_set_dump_stack_arch_desc();
 diff --git a/include/linux/kernel.h b/include/linux/kernel.h
-index 4ae1dfd9bf05..7d085cca9cee 100644
+index a8868a32098c..4e63db72cfea 100644
 --- a/include/linux/kernel.h
 +++ b/include/linux/kernel.h
-@@ -306,6 +306,38 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err)
+@@ -350,6 +350,38 @@ static inline void refcount_error_report(struct pt_regs *regs, const char *err)
 { }
 #endif
@ -107,10 +107,10 @@ index 4ae1dfd9bf05..7d085cca9cee 100644
 int __must_check _kstrtoul(const char *s, unsigned int base, unsigned long *res);
 int __must_check _kstrtol(const char *s, unsigned int base, long *res);
 diff --git a/security/Kconfig b/security/Kconfig
-index c4302067a3ad..a68e5bdebad5 100644
+index 1d6463fb1450..44c6a0da6f21 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -231,6 +231,28 @@ config STATIC_USERMODEHELPER_PATH
+@@ -229,6 +229,28 @@ config STATIC_USERMODEHELPER_PATH
 	  If you wish for all usermode helper programs to be disabled,
 	  specify an empty string here (i.e. "").
@ -139,16 +139,16 @@ index c4302067a3ad..a68e5bdebad5 100644
 source "security/selinux/Kconfig"
 source "security/smack/Kconfig"
 source "security/tomoyo/Kconfig"
-@@ -278,4 +300,3 @@ config DEFAULT_SECURITY
+@@ -250,4 +272,3 @@ config LSM
- 	default "" if DEFAULT_SECURITY_DAC
+ 	  If unsure, leave this as the default.
 endmenu
 -
 diff --git a/security/Makefile b/security/Makefile
-index 4d2d3782ddef..507ac8c520ce 100644
+index c598b904938f..5ff090149c88 100644
 --- a/security/Makefile
 +++ b/security/Makefile
-@@ -30,3 +30,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
+@@ -32,3 +32,6 @@ obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
 # Object integrity file lists
 subdir-$(CONFIG_INTEGRITY)		+= integrity
 obj-$(CONFIG_INTEGRITY)			+= integrity/
@ -227,12 +227,12 @@ index 000000000000..f35ffdd096ad
 +}
 +EXPORT_SYMBOL(__kernel_is_locked_down);
 -- 
-2.14.3
+2.20.1
-From 13dada34d9aa56ac4ee5438c7ebefde2d30d5542 Mon Sep 17 00:00:00 2001
+From 2779f0447b80b3cf94fb0252a4b209aa36250ed6 Mon Sep 17 00:00:00 2001
 From: Kyle McMartin <kyle@redhat.com>
 Date: Mon, 9 Apr 2018 09:52:45 +0100
-Subject: [PATCH 02/24] Add a SysRq option to lift kernel lockdown
+Subject: [PATCH 02/22] Add a SysRq option to lift kernel lockdown
 Make an option to provide a sysrq key that will lift the kernel lockdown,
 thereby allowing the running kernel image to be accessed and modified.
@ -248,16 +248,16 @@ cc: x86@kernel.org
 ---
 arch/x86/include/asm/setup.h |  2 ++
 drivers/input/misc/uinput.c  |  1 +
- drivers/tty/sysrq.c          | 19 ++++++++++++------
+ drivers/tty/sysrq.c          | 19 ++++++++++-----
- include/linux/input.h        |  5 +++++
+ include/linux/input.h        |  5 ++++
- include/linux/sysrq.h        |  8 +++++++-
+ include/linux/sysrq.h        |  8 +++++-
 kernel/debug/kdb/kdb_main.c  |  2 +-
- security/Kconfig             | 11 +++++++++++
+ security/Kconfig             | 11 +++++++++
- security/lock_down.c         | 47 ++++++++++++++++++++++++++++++++++++++++++++
+ security/lock_down.c         | 47 ++++++++++++++++++++++++++++++++++++
 8 files changed, 87 insertions(+), 8 deletions(-)
 diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
-index ae13bc974416..3108e297d87d 100644
+index ed8ec011a9fd..8daf633a5347 100644
 --- a/arch/x86/include/asm/setup.h
 +++ b/arch/x86/include/asm/setup.h
@@ -9,6 +9,8 @@
@ -270,10 +270,10 @@ index ae13bc974416..3108e297d87d 100644
 #include <linux/pfn.h>
 diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
-index 96a887f33698..027c730631cc 100644
+index 26ec603fe220..a73e92490286 100644
 --- a/drivers/input/misc/uinput.c
 +++ b/drivers/input/misc/uinput.c
-@@ -365,6 +365,7 @@ static int uinput_create_device(struct uinput_device *udev)
+@@ -366,6 +366,7 @@ static int uinput_create_device(struct uinput_device *udev)
 		dev->flush = uinput_dev_flush;
 	}
@ -282,10 +282,10 @@ index 96a887f33698..027c730631cc 100644
 	input_set_drvdata(udev->dev, udev);
 diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
-index 6364890575ec..ffeb3aa86cd1 100644
+index fa0ce7dd9e24..06c60fed7656 100644
 --- a/drivers/tty/sysrq.c
 +++ b/drivers/tty/sysrq.c
-@@ -487,6 +487,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
+@@ -480,6 +480,7 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
 	/* x: May be registered on mips for TLB dump */
 	/* x: May be registered on ppc/powerpc for xmon */
 	/* x: May be registered on sparc64 for global PMU dump */
@ -293,7 +293,7 @@ index 6364890575ec..ffeb3aa86cd1 100644
 	NULL,				/* x */
 	/* y: May be registered on sparc64 for global register dump */
 	NULL,				/* y */
-@@ -530,7 +531,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
+@@ -523,7 +524,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
                 sysrq_key_table[i] = op_p;
 }
@ -302,7 +302,7 @@ index 6364890575ec..ffeb3aa86cd1 100644
 {
 	struct sysrq_key_op *op_p;
 	int orig_log_level;
-@@ -550,11 +551,15 @@ void __handle_sysrq(int key, bool check_mask)
+@@ -542,11 +543,15 @@ void __handle_sysrq(int key, bool check_mask)
         op_p = __sysrq_get_key_op(key);
         if (op_p) {
@ -319,7 +319,7 @@ index 6364890575ec..ffeb3aa86cd1 100644
 			pr_info("%s\n", op_p->action_msg);
 			console_loglevel = orig_log_level;
 			op_p->handler(key);
-@@ -586,7 +591,7 @@ void __handle_sysrq(int key, bool check_mask)
+@@ -579,7 +584,7 @@ void __handle_sysrq(int key, bool check_mask)
 void handle_sysrq(int key)
 {
 	if (sysrq_on())
@ -328,7 +328,7 @@ index 6364890575ec..ffeb3aa86cd1 100644
 }
 EXPORT_SYMBOL(handle_sysrq);
-@@ -667,7 +672,7 @@ static void sysrq_do_reset(struct timer_list *t)
+@@ -659,7 +664,7 @@ static void sysrq_do_reset(struct timer_list *t)
 static void sysrq_handle_reset_request(struct sysrq_state *state)
 {
 	if (state->reset_requested)
@ -337,7 +337,7 @@ index 6364890575ec..ffeb3aa86cd1 100644
 	if (sysrq_reset_downtime_ms)
 		mod_timer(&state->keyreset_timer,
-@@ -818,8 +823,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
+@@ -812,8 +817,10 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
 	default:
 		if (sysrq->active && value && value != 2) {
@ -349,7 +349,7 @@ index 6364890575ec..ffeb3aa86cd1 100644
 		}
 		break;
 	}
-@@ -1102,7 +1109,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
+@@ -1096,7 +1103,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
 		if (get_user(c, buf))
 			return -EFAULT;
@ -416,10 +416,10 @@ index 8c71874e8485..7de1f08b60a9 100644
 int unregister_sysrq_key(int key, struct sysrq_key_op *op);
 struct sysrq_key_op *__sysrq_get_key_op(int key);
 diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
-index dbb0781a0533..aae9a0f44058 100644
+index 82a3b32a7cfc..efee1abf5e8e 100644
 --- a/kernel/debug/kdb/kdb_main.c
 +++ b/kernel/debug/kdb/kdb_main.c
-@@ -1970,7 +1970,7 @@ static int kdb_sr(int argc, const char **argv)
+@@ -1981,7 +1981,7 @@ static int kdb_sr(int argc, const char **argv)
 		return KDB_ARGCOUNT;
 	kdb_trap_printk++;
@ -429,10 +429,10 @@ index dbb0781a0533..aae9a0f44058 100644
 	return 0;
 diff --git a/security/Kconfig b/security/Kconfig
-index a68e5bdebad5..46967ee77dfd 100644
+index 44c6a0da6f21..f885e88e0705 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -253,6 +253,17 @@ config LOCK_DOWN_MANDATORY
+@@ -251,6 +251,17 @@ config LOCK_DOWN_MANDATORY
 	  Makes the lockdown non-negotiable.  It is always on and cannot be
 	  disabled.
@ -516,12 +516,12 @@ index f35ffdd096ad..2615669dbf03 100644
 +
 +#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */
 -- 
-2.14.3
+2.20.1
-From 7948946e19294e7560c81b177b2788d21ed79f59 Mon Sep 17 00:00:00 2001
+From 597069f3ba9dbf3537bd2ab5642f203fa24fd1f4 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@srcf.ucam.org>
 Date: Mon, 9 Apr 2018 09:52:46 +0100
-Subject: [PATCH 05/24] Restrict /dev/{mem,kmem,port} when the kernel is locked
+Subject: [PATCH 03/22] Restrict /dev/{mem,kmem,port} when the kernel is locked
 down
 Allowing users to read and write to core kernel memory makes it possible
@ -542,10 +542,10 @@ Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
 1 file changed, 2 insertions(+)
 diff --git a/drivers/char/mem.c b/drivers/char/mem.c
-index ffeb60d3434c..b2fca26e5765 100644
+index b08dc50f9f26..0a2f2e75d5f4 100644
 --- a/drivers/char/mem.c
 +++ b/drivers/char/mem.c
-@@ -784,6 +784,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
+@@ -786,6 +786,8 @@ static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
 static int open_port(struct inode *inode, struct file *filp)
 {
@ -555,12 +555,12 @@ index ffeb60d3434c..b2fca26e5765 100644
 }
 -- 
-2.14.3
+2.20.1
-From a19b6b9637f114388cc7087176860eee962cac79 Mon Sep 17 00:00:00 2001
+From 97b73030d3ccb2c4595c4fe948b0af368a6b10e3 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@srcf.ucam.org>
 Date: Mon, 9 Apr 2018 09:52:46 +0100
-Subject: [PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked
+Subject: [PATCH 04/22] kexec_load: Disable at runtime if the kernel is locked
 down
 The kexec_load() syscall permits the loading and execution of arbitrary
@ -576,6 +576,7 @@ Acked-by: Dave Young <dyoung@redhat.com>
 Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
 Reviewed-by: James Morris <james.l.morris@oracle.com>
 cc: kexec@lists.infradead.org
 Signed-off-by: Jeremy Cline <jcline@redhat.com>
 ---
 kernel/kexec.c | 7 +++++++
 1 file changed, 7 insertions(+)
@ -599,12 +600,12 @@ index 68559808fdfa..041d505070e1 100644
 	result = security_kernel_load_data(LOADING_KEXEC_IMAGE);
 	if (result < 0)
 -- 
-2.17.1
+2.20.1
-From aed8ee965258e3926be6aaeb57aef8a9a03c9989 Mon Sep 17 00:00:00 2001
+From 1b27ccaab50813a5a3c29f7be294a3cf98966d3b Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Mon, 9 Apr 2018 09:52:47 +0100
-Subject: [PATCH 07/24] hibernate: Disable when the kernel is locked down
+Subject: [PATCH 05/22] hibernate: Disable when the kernel is locked down
 There is currently no way to verify the resume image when returning
 from hibernate.  This might compromise the signed modules trust model,
@ -615,12 +616,13 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 Signed-off-by: David Howells <dhowells@redhat.com>
 Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
 cc: linux-pm@vger.kernel.org
 Signed-off-by: Jeremy Cline <jcline@redhat.com>
 ---
 kernel/power/hibernate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
-index 5454cc639a8d..629f158f5a0c 100644
+index abef759de7c8..802795becb88 100644
 --- a/kernel/power/hibernate.c
 +++ b/kernel/power/hibernate.c
@@ -70,7 +70,7 @@ static const struct platform_hibernation_ops *hibernation_ops;
@ -633,12 +635,12 @@ index 5454cc639a8d..629f158f5a0c 100644
 /**
 -- 
-2.14.3
+2.20.1
-From 8732c1663d7c0305ae01ba5a1ee4d2299b7b4612 Mon Sep 17 00:00:00 2001
+From 65c098838ab0e21528ecbd5ad27e1b5174b42b14 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@srcf.ucam.org>
 Date: Mon, 9 Apr 2018 09:52:47 +0100
-Subject: [PATCH 08/24] uswsusp: Disable when the kernel is locked down
+Subject: [PATCH 06/22] uswsusp: Disable when the kernel is locked down
 uswsusp allows a user process to dump and then restore kernel state, which
 makes it possible to modify the running kernel.  Disable this if the kernel
@ -654,7 +656,7 @@ cc: linux-pm@vger.kernel.org
 1 file changed, 3 insertions(+)
 diff --git a/kernel/power/user.c b/kernel/power/user.c
-index 75c959de4b29..959b336d8eca 100644
+index 2d8b60a3c86b..0305d513c274 100644
 --- a/kernel/power/user.c
 +++ b/kernel/power/user.c
@@ -52,6 +52,9 @@ static int snapshot_open(struct inode *inode, struct file *filp)
@ -668,12 +670,12 @@ index 75c959de4b29..959b336d8eca 100644
 	if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
 -- 
-2.14.3
+2.20.1
-From 4f5f0aae410d1929872eec346954c85e3a85f4f3 Mon Sep 17 00:00:00 2001
+From 05eecdf72d557817d7613733dca6eac08e61377e Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@srcf.ucam.org>
 Date: Mon, 9 Apr 2018 09:52:48 +0100
-Subject: [PATCH 09/24] PCI: Lock down BAR access when the kernel is locked
+Subject: [PATCH 07/22] PCI: Lock down BAR access when the kernel is locked
 down
 Any hardware that can potentially generate DMA has to be locked down in
@ -694,10 +696,10 @@ cc: linux-pci@vger.kernel.org
 3 files changed, 19 insertions(+), 2 deletions(-)
 diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
-index 366d93af051d..1e149ec006a4 100644
+index 25794c27c7a4..0d969598e273 100644
 --- a/drivers/pci/pci-sysfs.c
 +++ b/drivers/pci/pci-sysfs.c
-@@ -903,6 +903,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
+@@ -904,6 +904,9 @@ static ssize_t pci_write_config(struct file *filp, struct kobject *kobj,
 	loff_t init_off = off;
 	u8 *data = (u8 *) buf;
@ -707,7 +709,7 @@ index 366d93af051d..1e149ec006a4 100644
 	if (off > dev->cfg_size)
 		return 0;
 	if (off + count > dev->cfg_size) {
-@@ -1165,6 +1168,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
+@@ -1166,6 +1169,9 @@ static int pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr,
 	enum pci_mmap_state mmap_type;
 	struct resource *res = &pdev->resource[bar];
@ -717,7 +719,7 @@ index 366d93af051d..1e149ec006a4 100644
 	if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
 		return -EINVAL;
-@@ -1240,6 +1246,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
+@@ -1241,6 +1247,9 @@ static ssize_t pci_write_resource_io(struct file *filp, struct kobject *kobj,
 				     struct bin_attribute *attr, char *buf,
 				     loff_t off, size_t count)
 {
@ -728,7 +730,7 @@ index 366d93af051d..1e149ec006a4 100644
 }
 diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
-index 1ee8927a0635..469445a9019b 100644
+index 6fa1627ce08d..1549cdd0710e 100644
 --- a/drivers/pci/proc.c
 +++ b/drivers/pci/proc.c
@@ -117,6 +117,9 @@ static ssize_t proc_bus_pci_write(struct file *file, const char __user *buf,
@ -776,12 +778,12 @@ index d96626c614f5..b8a08d3166a1 100644
 	dev = pci_get_domain_bus_and_slot(0, bus, dfn);
 -- 
-2.14.3
+2.20.1
-From 677537cdec42804f1936b57ffaa6181f633bc015 Mon Sep 17 00:00:00 2001
+From 00ead3a144b821267a941a26c646a1fd07d8163a Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@srcf.ucam.org>
 Date: Mon, 9 Apr 2018 09:52:48 +0100
-Subject: [PATCH 10/24] x86: Lock down IO port access when the kernel is locked
+Subject: [PATCH 08/22] x86: Lock down IO port access when the kernel is locked
 down
 IO port access would permit users to gain access to PCI configuration
@ -826,12 +828,12 @@ index 0fe1c8782208..abc702a6ae9c 100644
 	}
 	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
 -- 
-2.14.3
+2.20.1
-From f005be07fababf8c698a556fe465871ad168c9d9 Mon Sep 17 00:00:00 2001
+From 6efd2de8172dac74fbea76d7205657c4cf22ef6a Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@srcf.ucam.org>
 Date: Mon, 9 Apr 2018 09:52:48 +0100
-Subject: [PATCH 11/24] x86/msr: Restrict MSR access when the kernel is locked
+Subject: [PATCH 09/22] x86/msr: Restrict MSR access when the kernel is locked
 down
 Writing to MSRs should not be allowed if the kernel is locked down, since
@ -852,7 +854,7 @@ cc: x86@kernel.org
 1 file changed, 10 insertions(+)
 diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
-index ef688804f80d..dfb61d358196 100644
+index 4588414e2561..f5a2cf07972f 100644
 --- a/arch/x86/kernel/msr.c
 +++ b/arch/x86/kernel/msr.c
@@ -84,6 +84,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
@ -880,12 +882,12 @@ index ef688804f80d..dfb61d358196 100644
 		if (err)
 			break;
 -- 
-2.14.3
+2.20.1
-From 0a48b7c936757dda851ab2d3ecde7f6a79de7a5b Mon Sep 17 00:00:00 2001
+From 7e4c9369ca56ec7508ad851fb3f8af7b7e83c4e5 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@srcf.ucam.org>
 Date: Mon, 9 Apr 2018 09:52:48 +0100
-Subject: [PATCH 12/24] ACPI: Limit access to custom_method when the kernel is
+Subject: [PATCH 10/22] ACPI: Limit access to custom_method when the kernel is
 locked down
 custom_method effectively allows arbitrary access to system memory, making
@ -901,7 +903,7 @@ cc: linux-acpi@vger.kernel.org
 1 file changed, 3 insertions(+)
 diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
-index e967c1173ba3..a07fbe999eb6 100644
+index aa972dc5cb7e..af1d161f188f 100644
 --- a/drivers/acpi/custom_method.c
 +++ b/drivers/acpi/custom_method.c
@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
@ -915,12 +917,12 @@ index e967c1173ba3..a07fbe999eb6 100644
 		/* parse the table header to get the table length */
 		if (count <= sizeof(struct acpi_table_header))
 -- 
-2.14.3
+2.20.1
-From 2ed74b084366d7dba7b4a611ba13d99b82c4e11e Mon Sep 17 00:00:00 2001
+From 20f5e7cfa6d01d10a5bb83a6b276d6f403aa012c Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@redhat.com>
 Date: Mon, 9 Apr 2018 09:52:49 +0100
-Subject: [PATCH 13/24] acpi: Ignore acpi_rsdp kernel param when the kernel has
+Subject: [PATCH 11/22] acpi: Ignore acpi_rsdp kernel param when the kernel has
 been locked down
 This option allows userspace to pass the RSDP address to the kernel, which
@ -937,10 +939,10 @@ cc: linux-acpi@vger.kernel.org
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
-index 7ca41bf023c9..34e4ce7939f4 100644
+index f29e427d0d1d..3e44cef7a0cd 100644
 --- a/drivers/acpi/osl.c
 +++ b/drivers/acpi/osl.c
-@@ -192,7 +192,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
+@@ -194,7 +194,7 @@ acpi_physical_address __init acpi_os_get_root_pointer(void)
 	acpi_physical_address pa;
 #ifdef CONFIG_KEXEC
@ -950,12 +952,12 @@ index 7ca41bf023c9..34e4ce7939f4 100644
 #endif
 	pa = acpi_arch_get_root_pointer();
 -- 
-2.14.3
+2.20.1
-From 7fb2ddf683c23cc4b227d7d75a5d039970ca910e Mon Sep 17 00:00:00 2001
+From 700ce42e36ac0b7387c55d8fe13dd1dda3d4f178 Mon Sep 17 00:00:00 2001
 From: Linn Crosetto <linn@hpe.com>
 Date: Mon, 9 Apr 2018 09:52:49 +0100
-Subject: [PATCH 14/24] acpi: Disable ACPI table override if the kernel is
+Subject: [PATCH 12/22] acpi: Disable ACPI table override if the kernel is
 locked down
 From the kernel documentation (initrd_table_override.txt):
@ -977,10 +979,10 @@ cc: linux-acpi@vger.kernel.org
 1 file changed, 5 insertions(+)
 diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
-index 849c4fb19b03..6c5ee7e66842 100644
+index 8fccbe49612a..1794f5b4afae 100644
 --- a/drivers/acpi/tables.c
 +++ b/drivers/acpi/tables.c
-@@ -527,6 +527,11 @@ void __init acpi_table_upgrade(void)
+@@ -539,6 +539,11 @@ void __init acpi_table_upgrade(void)
 	if (table_nr == 0)
 		return;
@ -993,12 +995,12 @@ index 849c4fb19b03..6c5ee7e66842 100644
 		memblock_find_in_range(0, ACPI_TABLE_UPGRADE_MAX_PHYS,
 				       all_tables_size, PAGE_SIZE);
 -- 
-2.14.3
+2.20.1
-From d1ff6505c76cec9438217f2c284f024a1ac2ac59 Mon Sep 17 00:00:00 2001
+From 795cc6dc11944a24309cd29b02efc6ff6eea241e Mon Sep 17 00:00:00 2001
 From: Linn Crosetto <linn@hpe.com>
 Date: Mon, 9 Apr 2018 09:52:50 +0100
-Subject: [PATCH 15/24] acpi: Disable APEI error injection if the kernel is
+Subject: [PATCH 13/22] acpi: Disable APEI error injection if the kernel is
 locked down
 ACPI provides an error injection mechanism, EINJ, for debugging and testing
@ -1025,7 +1027,7 @@ cc: linux-acpi@vger.kernel.org
 1 file changed, 3 insertions(+)
 diff --git a/drivers/acpi/apei/einj.c b/drivers/acpi/apei/einj.c
-index b38737c83a24..6d71e1e97b20 100644
+index 2d4be94f8c00..6ee4ad207e8b 100644
 --- a/drivers/acpi/apei/einj.c
 +++ b/drivers/acpi/apei/einj.c
@@ -518,6 +518,9 @@ static int einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
@ -1039,12 +1041,12 @@ index b38737c83a24..6d71e1e97b20 100644
 	if (flags && (flags &
 		~(SETWA_FLAGS_APICID|SETWA_FLAGS_MEM|SETWA_FLAGS_PCIE_SBDF)))
 -- 
-2.14.3
+2.20.1
-From 3153be0328e3a752aacab95d503fbd460f517402 Mon Sep 17 00:00:00 2001
+From fbdf91419289d47c747d5535bb92a8923a0fce97 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 4 Apr 2018 14:45:37 +0100
-Subject: [PATCH 16/24] Prohibit PCMCIA CIS storage when the kernel is locked
+Subject: [PATCH 14/22] Prohibit PCMCIA CIS storage when the kernel is locked
 down
 Prohibit replacement of the PCMCIA Card Information Structure when the
@ -1058,7 +1060,7 @@ cc: linux-pcmcia@lists.infradead.org
 1 file changed, 3 insertions(+)
 diff --git a/drivers/pcmcia/cistpl.c b/drivers/pcmcia/cistpl.c
-index 102646fedb56..e46c948d7246 100644
+index ac0672b8dfca..8adf092d0e18 100644
 --- a/drivers/pcmcia/cistpl.c
 +++ b/drivers/pcmcia/cistpl.c
@@ -1578,6 +1578,9 @@ static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
@ -1072,12 +1074,12 @@ index 102646fedb56..e46c948d7246 100644
 	if (off)
 -- 
-2.14.3
+2.20.1
-From 9fedc1427e8589edf2e16a481f8588711adba69a Mon Sep 17 00:00:00 2001
+From 9a3726b9bf16e62fce77570c972857abc303fcd1 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 4 Apr 2018 14:45:37 +0100
-Subject: [PATCH 17/24] Lock down TIOCSSERIAL
+Subject: [PATCH 15/22] Lock down TIOCSSERIAL
 Lock down TIOCSSERIAL as that can be used to change the ioport and irq
 settings on a serial port.  This only appears to be an issue for the serial
@ -1092,10 +1094,10 @@ cc: Jiri Slaby <jslaby@suse.com>
 1 file changed, 6 insertions(+)
 diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
-index 0466f9f08a91..360f8e4416c4 100644
+index 351843f847c0..3cffe2f5d132 100644
 --- a/drivers/tty/serial/serial_core.c
 +++ b/drivers/tty/serial/serial_core.c
-@@ -829,6 +829,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
+@@ -852,6 +852,12 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port,
 	new_flags = (__force upf_t)new_info->flags;
 	old_custom_divisor = uport->custom_divisor;
@ -1109,12 +1111,12 @@ index 0466f9f08a91..360f8e4416c4 100644
 		retval = -EPERM;
 		if (change_irq || change_port ||
 -- 
-2.14.3
+2.20.1
-From f8fd52e2b077ce5a993807f8fc6e27a17cf4d19f Mon Sep 17 00:00:00 2001
+From 3602dd89747ed890d31fcb4d64a3fcd48490fff7 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 4 Apr 2018 14:45:37 +0100
-Subject: [PATCH 18/24] Lock down module params that specify hardware
+Subject: [PATCH 16/22] Lock down module params that specify hardware
 parameters (eg. ioport)
 Provided an annotation for module parameters that specify hardware
@ -1128,7 +1130,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
 1 file changed, 21 insertions(+), 5 deletions(-)
 diff --git a/kernel/params.c b/kernel/params.c
-index cc9108c2a1fd..2c08c4aa376b 100644
+index ce89f757e6da..8ac751c938f8 100644
 --- a/kernel/params.c
 +++ b/kernel/params.c
@@ -108,13 +108,19 @@ bool parameq(const char *a, const char *b)
@ -1192,12 +1194,12 @@ index cc9108c2a1fd..2c08c4aa376b 100644
 	if (!err)
 		return len;
 -- 
-2.14.3
+2.20.1
-From 9c88e2ab392f5ac9c80529e43175fe65d00cdb67 Mon Sep 17 00:00:00 2001
+From 5c8a455102b3ca36e84694d888fad219726bd268 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 4 Apr 2018 14:45:38 +0100
-Subject: [PATCH 19/24] x86/mmiotrace: Lock down the testmmiotrace module
+Subject: [PATCH 17/22] x86/mmiotrace: Lock down the testmmiotrace module
 The testmmiotrace module shouldn't be permitted when the kernel is locked
 down as it can be used to arbitrarily read and write MMIO space.
@ -1228,12 +1230,12 @@ index f6ae6830b341..bbaad357f5d7 100644
 		pr_err("you have to use the module argument mmio_address.\n");
 		pr_err("DO NOT LOAD THIS MODULE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING!\n");
 -- 
-2.14.3
+2.20.1
-From 256e20401f9f5dd19028d4220095897a15daa67c Mon Sep 17 00:00:00 2001
+From 711e6f9ef237fd513eddfc1f0e3796c419bc138e Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 4 Apr 2018 14:45:38 +0100
-Subject: [PATCH 20/24] Lock down /proc/kcore
+Subject: [PATCH 18/22] Lock down /proc/kcore
 Disallow access to /proc/kcore when the kernel is locked down to prevent
 access to cryptographic data.
@ -1245,10 +1247,10 @@ Reviewed-by: James Morris <james.l.morris@oracle.com>
 1 file changed, 2 insertions(+)
 diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
-index d1e82761de81..cdebdee81719 100644
+index bbcc185062bb..d50ebfbf3dbb 100644
 --- a/fs/proc/kcore.c
 +++ b/fs/proc/kcore.c
-@@ -546,6 +546,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
+@@ -518,6 +518,8 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
 static int open_kcore(struct inode *inode, struct file *filp)
 {
@ -1258,12 +1260,12 @@ index d1e82761de81..cdebdee81719 100644
 		return -EPERM;
 -- 
-2.14.3
+2.20.1
-From f68ca24bc8d8a64cf30e59a595fad0e6782e933f Mon Sep 17 00:00:00 2001
+From f2a835a43a6463abfe6781156ebdb7346d7a3c51 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 4 Apr 2018 14:45:38 +0100
-Subject: [PATCH 21/24] Lock down kprobes
+Subject: [PATCH 19/22] Lock down kprobes
 Disallow the creation of kprobes when the kernel is locked down by
 preventing their registration.  This prevents kprobes from being used to
@ -1276,10 +1278,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
 1 file changed, 3 insertions(+)
 diff --git a/kernel/kprobes.c b/kernel/kprobes.c
-index 102160ff5c66..4f5757732553 100644
+index c83e54727131..743c40bd1982 100644
 --- a/kernel/kprobes.c
 +++ b/kernel/kprobes.c
-@@ -1561,6 +1561,9 @@ int register_kprobe(struct kprobe *p)
+@@ -1571,6 +1571,9 @@ int register_kprobe(struct kprobe *p)
 	struct module *probed_mod;
 	kprobe_opcode_t *addr;
@ -1290,12 +1292,12 @@ index 102160ff5c66..4f5757732553 100644
 	addr = kprobe_addr(p);
 	if (IS_ERR(addr))
 -- 
-2.14.3
+2.20.1
-From d44a6ae3a7cad5cd9b01f7b0a48b3c788af968e8 Mon Sep 17 00:00:00 2001
+From 23afb750c60b6b2d8025eb4d52ce6ff565ca1a63 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 4 Apr 2018 14:45:38 +0100
-Subject: [PATCH 23/24] Lock down perf
+Subject: [PATCH 20/22] Lock down perf
 Disallow the use of certain perf facilities that might allow userspace to
 access kernel data.
@ -1306,10 +1308,10 @@ Signed-off-by: David Howells <dhowells@redhat.com>
 1 file changed, 5 insertions(+)
 diff --git a/kernel/events/core.c b/kernel/events/core.c
-index fc1c330c6bd6..1922f2e0980a 100644
+index 5f59d848171e..ddf0fa63cb80 100644
 --- a/kernel/events/core.c
 +++ b/kernel/events/core.c
-@@ -10407,6 +10407,11 @@ SYSCALL_DEFINE5(perf_event_open,
+@@ -10727,6 +10727,11 @@ SYSCALL_DEFINE5(perf_event_open,
 			return -EINVAL;
 	}
@ -1322,12 +1324,12 @@ index fc1c330c6bd6..1922f2e0980a 100644
 	if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR) &&
 	    perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
 -- 
-2.14.3
+2.20.1
-From fe5091f97838c8c64b891280bcd30367e71cd5c3 Mon Sep 17 00:00:00 2001
+From dc6da5e583b02c04a6e0518158ef3d82735aeb5d Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Wed, 4 Apr 2018 14:45:38 +0100
-Subject: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked
+Subject: [PATCH 21/22] debugfs: Restrict debugfs when the kernel is locked
 down
 Disallow opening of debugfs files that might be used to muck around when
@ -1371,7 +1373,7 @@ cc: Thomas Gleixner <tglx@linutronix.de>
 2 files changed, 56 insertions(+), 2 deletions(-)
 diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
-index 1f99678ff5d3..51cb894c21f2 100644
+index 4fce1da7db23..c33042c1eff3 100644
 --- a/fs/debugfs/file.c
 +++ b/fs/debugfs/file.c
@@ -136,6 +136,25 @@ void debugfs_file_put(struct dentry *dentry)
@ -1424,7 +1426,7 @@ index 1f99678ff5d3..51cb894c21f2 100644
 	if (!real_fops) {
 		/* Huh? Module did not cleanup after itself at exit? */
 diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
-index 13b01351dd1c..4daec17b8215 100644
+index 95b5e78c22b1..ce99ea07fdb4 100644
 --- a/fs/debugfs/inode.c
 +++ b/fs/debugfs/inode.c
@@ -32,6 +32,31 @@ static struct vfsmount *debugfs_mount;
@ -1467,7 +1469,7 @@ index 13b01351dd1c..4daec17b8215 100644
 	inode->i_fop = proxy_fops;
 	dentry->d_fsdata = (void *)((unsigned long)real_fops |
 				DEBUGFS_FSDATA_IS_REAL_FOPS_BIT);
-@@ -515,7 +541,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
+@@ -516,7 +542,7 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
 		return failed_creating(dentry);
 	inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
@ -1476,7 +1478,7 @@ index 13b01351dd1c..4daec17b8215 100644
 	inode->i_fop = &simple_dir_operations;
 	/* directory inodes start off with i_nlink == 2 (for "." entry) */
-@@ -608,7 +634,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent,
+@@ -611,7 +637,7 @@ struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent,
 		return failed_creating(dentry);
 	}
 	inode->i_mode = S_IFLNK | S_IRWXUGO;
@ -1486,104 +1488,13 @@ index 13b01351dd1c..4daec17b8215 100644
 	d_instantiate(dentry, inode);
 	return end_creating(dentry);
 -- 
-2.14.3
+2.20.1
-From patchwork Wed Nov 21 12:05:10 2018
+From 29131d94aceb11ad6be4b0d8820db23986f1a0b2 Mon Sep 17 00:00:00 2001
 Content-Type: text/plain; charset="utf-8"
 MIME-Version: 1.0
 Content-Transfer-Encoding: 7bit
 X-Patchwork-Submitter: Vasily Gorbik <gor@linux.ibm.com>
 X-Patchwork-Id: 1015495
 Return-Path: <SRS0=ejdu=OA=vger.kernel.org=linux-kernel-owner@kernel.org>
 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 	by smtp.lore.kernel.org (Postfix) with ESMTP id AF80FC04EBA
 	for <linux-kernel@archiver.kernel.org>; Wed, 21 Nov 2018 12:05:25 +0000 (UTC)
 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
 	by mail.kernel.org (Postfix) with ESMTP id 80EA921479
 	for <linux-kernel@archiver.kernel.org>; Wed, 21 Nov 2018 12:05:25 +0000 (UTC)
 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 80EA921479
 Authentication-Results: mail.kernel.org;
 dmarc=fail (p=none dis=none) header.from=linux.ibm.com
 Authentication-Results: mail.kernel.org;
 spf=none smtp.mailfrom=linux-kernel-owner@vger.kernel.org
 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730155AbeKUWjb (ORCPT
        <rfc822;linux-kernel@archiver.kernel.org>);
        Wed, 21 Nov 2018 17:39:31 -0500
 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:33574 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1729128AbeKUWjb (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 21 Nov 2018 17:39:31 -0500
 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1])
        by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id
 wALBx6kw056071
        for <linux-kernel@vger.kernel.org>; Wed, 21 Nov 2018 07:05:22 -0500
 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98])
        by mx0b-001b2d01.pphosted.com with ESMTP id 2nw5p847fp-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Wed, 21 Nov 2018 07:05:22 -0500
 Received: from localhost
        by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
 Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <gor@linux.ibm.com>;
        Wed, 21 Nov 2018 12:05:20 -0000
 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197)
        by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway:
 Authorized Use Only! Violators will be prosecuted;
        (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256)
        Wed, 21 Nov 2018 12:05:17 -0000
 Received: from b06wcsmtp001.portsmouth.uk.ibm.com
 (b06wcsmtp001.portsmouth.uk.ibm.com [9.149.105.160])
        by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with
 ESMTP id wALC5GXF60817580
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
 verify=FAIL);
        Wed, 21 Nov 2018 12:05:16 GMT
 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 4EB1CA4060;
        Wed, 21 Nov 2018 12:05:16 +0000 (GMT)
 Received: from b06wcsmtp001.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 0C844A405F;
        Wed, 21 Nov 2018 12:05:16 +0000 (GMT)
 Received: from localhost (unknown [9.152.212.229])
        by b06wcsmtp001.portsmouth.uk.ibm.com (Postfix) with ESMTPS;
        Wed, 21 Nov 2018 12:05:15 +0000 (GMT)
 Date: Wed, 21 Nov 2018 13:05:10 +0100
 From: Vasily Gorbik <gor@linux.ibm.com>
-To: David Howells <dhowells@redhat.com>,
+Date: Wed, 21 Nov 2018 13:05:10 +0100
-        James Morris <jmorris@namei.org>
+Subject: [PATCH 22/22] debugfs: avoid EPERM when no open file operation
-Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>,
+ defined
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
 Subject: [PATCH next-lockdown 1/1] debugfs: avoid EPERM when no open file
 operation defined
 References: <4136.1522452584@warthog.procyon.org.uk>
 <cover.thread-bfac1b.your-ad-here.call-01542799656-ext-6093@work.hours>
 MIME-Version: 1.0
 Content-Type: text/plain; charset=utf-8
 Content-Disposition: inline
 In-Reply-To: 
 <cover.thread-bfac1b.your-ad-here.call-01542799656-ext-6093@work.hours>
 X-TM-AS-GCONF: 00
 x-cbid: 18112112-0008-0000-0000-000002963F3F
 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
 x-cbparentid: 18112112-0009-0000-0000-000022006F52
 Message-Id: 
 <patch-1.thread-bfac1b.git-bfac1b60354c.your-ad-here.call-01542799656-ext-6093@work.hours>
 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,,
 definitions=2018-11-21_05:,,
 signatures=0
 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 priorityscore=1501
 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0
 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.0.1-1810050000 definitions=main-1811210107
 Sender: linux-kernel-owner@vger.kernel.org
 Precedence: bulk
 List-ID: <linux-kernel.vger.kernel.org>
 X-Mailing-List: linux-kernel@vger.kernel.org
 With "debugfs: Restrict debugfs when the kernel is locked down"
 return code "r" is unconditionally set to -EPERM, which stays like that
@ -1605,7 +1516,7 @@ Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
 1 file changed, 6 insertions(+), 4 deletions(-)
 diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
-index 51cb894c21f2..89c86faaa02a 100644
+index c33042c1eff3..3a5033ff9ec7 100644
 --- a/fs/debugfs/file.c
 +++ b/fs/debugfs/file.c
@@ -167,9 +167,10 @@ static int open_proxy_open(struct inode *inode, struct file *filp)
@ -1634,3 +1545,6 @@ index 51cb894c21f2..89c86faaa02a 100644
 	real_fops = fops_get(real_fops);
 	if (!real_fops) {
 -- 
 2.20.1
--- a/2
+++ b/2
@ -1 +1 @@
-f90d64483ebd394958841f67f8794ab203b319a7
+610cd4eadec4f97acd25d3108b0e50d1362b3319
--- a/kernel-aarch64-debug.config
+++ b/kernel-aarch64-debug.config
@ -3019,6 +3019,7 @@ CONFIG_LP_CONSOLE=y
 # CONFIG_LPC_SCH is not set
 CONFIG_LSI_ET1011C_PHY=m
 CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
 CONFIG_LTC1660=m
 # CONFIG_LTC2471 is not set
 # CONFIG_LTC2485 is not set
@ -5130,6 +5131,7 @@ CONFIG_SECURITY_INFINIBAND=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
--- a/kernel-aarch64.config
+++ b/kernel-aarch64.config
@ -3001,6 +3001,7 @@ CONFIG_LP_CONSOLE=y
 # CONFIG_LPC_SCH is not set
 CONFIG_LSI_ET1011C_PHY=m
 CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
 CONFIG_LTC1660=m
 # CONFIG_LTC2471 is not set
 # CONFIG_LTC2485 is not set
@ -5109,6 +5110,7 @@ CONFIG_SECURITY_INFINIBAND=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
--- a/kernel-armv7hl-debug.config
+++ b/kernel-armv7hl-debug.config
@ -3100,6 +3100,7 @@ CONFIG_LP_CONSOLE=y
 # CONFIG_LPC_SCH is not set
 CONFIG_LSI_ET1011C_PHY=m
 CONFIG_LSM_MMAP_MIN_ADDR=32768
 CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
 CONFIG_LTC1660=m
 # CONFIG_LTC2471 is not set
 # CONFIG_LTC2485 is not set
@ -5336,6 +5337,7 @@ CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
--- a/kernel-armv7hl-lpae-debug.config
+++ b/kernel-armv7hl-lpae-debug.config
@ -2979,6 +2979,7 @@ CONFIG_LP_CONSOLE=y
 # CONFIG_LPC_SCH is not set
 CONFIG_LSI_ET1011C_PHY=m
 CONFIG_LSM_MMAP_MIN_ADDR=32768
 CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
 CONFIG_LTC1660=m
 # CONFIG_LTC2471 is not set
 # CONFIG_LTC2485 is not set
@ -5056,6 +5057,7 @@ CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
--- a/kernel-armv7hl-lpae.config
+++ b/kernel-armv7hl-lpae.config
@ -2962,6 +2962,7 @@ CONFIG_LP_CONSOLE=y
 # CONFIG_LPC_SCH is not set
 CONFIG_LSI_ET1011C_PHY=m
 CONFIG_LSM_MMAP_MIN_ADDR=32768
 CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
 CONFIG_LTC1660=m
 # CONFIG_LTC2471 is not set
 # CONFIG_LTC2485 is not set
@ -5036,6 +5037,7 @@ CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
--- a/kernel-armv7hl.config
+++ b/kernel-armv7hl.config
@ -3083,6 +3083,7 @@ CONFIG_LP_CONSOLE=y
 # CONFIG_LPC_SCH is not set
 CONFIG_LSI_ET1011C_PHY=m
 CONFIG_LSM_MMAP_MIN_ADDR=32768
 CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
 CONFIG_LTC1660=m
 # CONFIG_LTC2471 is not set
 # CONFIG_LTC2485 is not set
@ -5316,6 +5317,7 @@ CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
--- a/kernel-i686-debug.config
+++ b/kernel-i686-debug.config
@ -2837,6 +2837,7 @@ CONFIG_LP_CONSOLE=y
 CONFIG_LPC_SCH=m
 CONFIG_LSI_ET1011C_PHY=m
 CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
 CONFIG_LTC1660=m
 # CONFIG_LTC2471 is not set
 # CONFIG_LTC2485 is not set
@ -4730,6 +4731,7 @@ CONFIG_SECURITY_INFINIBAND=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
--- a/kernel-i686.config
+++ b/kernel-i686.config
@ -2818,6 +2818,7 @@ CONFIG_LP_CONSOLE=y
 CONFIG_LPC_SCH=m
 CONFIG_LSI_ET1011C_PHY=m
 CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
 CONFIG_LTC1660=m
 # CONFIG_LTC2471 is not set
 # CONFIG_LTC2485 is not set
@ -4710,6 +4711,7 @@ CONFIG_SECURITY_INFINIBAND=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
--- a/kernel-ppc64le-debug.config
+++ b/kernel-ppc64le-debug.config
@ -2595,6 +2595,7 @@ CONFIG_LP_CONSOLE=y
 # CONFIG_LPC_SCH is not set
 CONFIG_LSI_ET1011C_PHY=m
 CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
 CONFIG_LTC1660=m
 # CONFIG_LTC2471 is not set
 # CONFIG_LTC2485 is not set
@ -4433,6 +4434,7 @@ CONFIG_SECURITY_INFINIBAND=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
--- a/kernel-ppc64le.config
+++ b/kernel-ppc64le.config
@ -2576,6 +2576,7 @@ CONFIG_LP_CONSOLE=y
 # CONFIG_LPC_SCH is not set
 CONFIG_LSI_ET1011C_PHY=m
 CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
 CONFIG_LTC1660=m
 # CONFIG_LTC2471 is not set
 # CONFIG_LTC2485 is not set
@ -4411,6 +4412,7 @@ CONFIG_SECURITY_INFINIBAND=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
--- a/kernel-s390x-debug.config
+++ b/kernel-s390x-debug.config
@ -2569,6 +2569,7 @@ CONFIG_LP_CONSOLE=y
 # CONFIG_LPC_SCH is not set
 CONFIG_LSI_ET1011C_PHY=m
 CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
 CONFIG_LTC1660=m
 # CONFIG_LTC2471 is not set
 # CONFIG_LTC2485 is not set
@ -4381,6 +4382,7 @@ CONFIG_SECURITY_INFINIBAND=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
--- a/kernel-s390x.config
+++ b/kernel-s390x.config
@ -2550,6 +2550,7 @@ CONFIG_LP_CONSOLE=y
 # CONFIG_LPC_SCH is not set
 CONFIG_LSI_ET1011C_PHY=m
 CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
 CONFIG_LTC1660=m
 # CONFIG_LTC2471 is not set
 # CONFIG_LTC2485 is not set
@ -4359,6 +4360,7 @@ CONFIG_SECURITY_INFINIBAND=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
--- a/kernel-x86_64-debug.config
+++ b/kernel-x86_64-debug.config
@ -2883,6 +2883,7 @@ CONFIG_LP_CONSOLE=y
 CONFIG_LPC_SCH=m
 CONFIG_LSI_ET1011C_PHY=m
 CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
 CONFIG_LTC1660=m
 # CONFIG_LTC2471 is not set
 # CONFIG_LTC2485 is not set
@ -4761,6 +4762,7 @@ CONFIG_SECURITY_INFINIBAND=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
--- a/kernel-x86_64.config
+++ b/kernel-x86_64.config
@ -2864,6 +2864,7 @@ CONFIG_LP_CONSOLE=y
 CONFIG_LPC_SCH=m
 CONFIG_LSI_ET1011C_PHY=m
 CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
 CONFIG_LTC1660=m
 # CONFIG_LTC2471 is not set
 # CONFIG_LTC2485 is not set
@ -4741,6 +4742,7 @@ CONFIG_SECURITY_INFINIBAND=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
--- a/kernel.spec
+++ b/kernel.spec
@ -69,7 +69,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %global rcrev 0
 # The git snapshot level
-%define gitrev 3
+%define gitrev 4
 # Set rpm version accordingly
 %define rpmversion 5.%{upstream_sublevel}.0
 %endif
@ -1873,6 +1873,9 @@ fi
 #
 #
 %changelog
 * Fri Mar 08 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc0.git4.1
 - Linux v5.0-7001-g610cd4eadec4
 * Thu Mar 07 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc0.git3.1
 - Linux v5.0-6399-gf90d64483ebd
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 SHA512 (linux-5.0.tar.xz) = 3fbab70c7b03b1a10e9fa14d1e2e1f550faba4f5792b7699ca006951da74ab86e7d7f19c6a67849ab99343186e7d6f2752cd910d76222213b93c1eab90abf1b0
-SHA512 (patch-5.0-git3.xz) = 5d0173b40a31b0fd000c4c37e272ba754b387aaf359a9f42868db2b4a86a8431c91e2130c933538904691b86a53af1b166131d3b9958fdffd29814c7b961d689
+SHA512 (patch-5.0-git4.xz) = 8e51849571facbaa0585503f911deeaad308e95f3e692875db699489d46decb00577278f8a96ff2da10f058045c6f00b483f02519d261b9f33d4afe0436774f9
		`@ -0,0 +1 @@`
							`CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"`
`@ -1 +1 @@`
	`f90d64483ebd394958841f67f8794ab203b319a7`	`610cd4eadec4f97acd25d3108b0e50d1362b3319`
`@ -1,2 +1,2 @@`
	`SHA512 (linux-5.0.tar.xz) = 3fbab70c7b03b1a10e9fa14d1e2e1f550faba4f5792b7699ca006951da74ab86e7d7f19c6a67849ab99343186e7d6f2752cd910d76222213b93c1eab90abf1b0`	`SHA512 (linux-5.0.tar.xz) = 3fbab70c7b03b1a10e9fa14d1e2e1f550faba4f5792b7699ca006951da74ab86e7d7f19c6a67849ab99343186e7d6f2752cd910d76222213b93c1eab90abf1b0`
	`SHA512 (patch-5.0-git3.xz) = 5d0173b40a31b0fd000c4c37e272ba754b387aaf359a9f42868db2b4a86a8431c91e2130c933538904691b86a53af1b166131d3b9958fdffd29814c7b961d689`	`SHA512 (patch-5.0-git4.xz) = 8e51849571facbaa0585503f911deeaad308e95f3e692875db699489d46decb00577278f8a96ff2da10f058045c6f00b483f02519d261b9f33d4afe0436774f9`