John Johansen [Sun, 24 Jul 2016 23:06:14 +0000 (16:06 -0700)]
securityfs: update interface to allow inode_ops, and setup from vfs fns
BugLink: http://bugs.launchpad.net/bugs/1611078 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Paolo Pisati [Wed, 28 Sep 2016 11:22:25 +0000 (13:22 +0200)]
UBUNTU: [Config] armhf: disable ARCH_ZX
BugLink: http://bugs.launchpad.net/bugs/1628503 Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Tim Gardner [Tue, 27 Sep 2016 15:30:06 +0000 (09:30 -0600)]
UBUNTU: [Config] skip Ubuntu-4.8.0-18.20
That version was used during Beta2 testing but was never published
outside of a PPA. However, the tag has been pushed should we ever
want to retrieve it.
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
BugLink: http://bugs.launchpad.net/bugs/1628112 Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Luis Henriques [Fri, 23 Sep 2016 15:39:35 +0000 (16:39 +0100)]
UBUNTU: [Config] CONFIG_GOLDFISH=n
BugLink: http://bugs.launchpad.net/bugs/1627052 Signed-off-by: Luis Henriques <luis.henriques@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com>
drivers/built-in.o: In function `qe_usb_clock_set':
drivers/soc/fsl/qe/usb.c:25: undefined reference to `qe_immr'
drivers/soc/fsl/qe/usb.c:25: undefined reference to `qe_immr'
drivers/soc/fsl/qe/usb.c:48: undefined reference to `cmxgcr_lock'
drivers/soc/fsl/qe/usb.c:48: undefined reference to `cmxgcr_lock'
drivers/soc/fsl/qe/usb.c:46: undefined reference to `qe_setbrg'
Makefile:965: recipe for target 'vmlinux' failed
make[2]: *** [vmlinux] Error 1
dann frazier [Thu, 22 Sep 2016 03:34:15 +0000 (21:34 -0600)]
UBUNTU: [Config] CONFIG_ACPI_IORT=y
BugLink: http://bugs.launchpad.net/bugs/1626631 Signed-off-by: dann frazier <dann.frazier@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
UBUNTU: add nls_cp437 to the generic.inclusion-list
BugLink: http://bugs.launchpad.net/bugs/1626158
Add a precautionary measure in the event CONFIG_NLS_CODEPAGE_437 reverts
back to being enabled as a module.
Upstream commit 96368701e1c89057bbf39222e965161c68a85b4b changed the
auditing behavior of seccomp so that actions are only logged when the
audit subsystem is enabled. A default install of Ubuntu does not include
the audit userspace and simply enabling the audit subsystem, without
filtering some audit events, would result in more audit records hitting
the system log than usual.
This patch undoes the functional change in upstream commit 96368701e1c89057bbf39222e965161c68a85b4b and goes back to the old
behavior of logging seccomp actions even when audit is not enabled.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Seth Forshee [Thu, 21 Jan 2016 21:37:53 +0000 (15:37 -0600)]
UBUNTU: SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
An overlayfs mount using an upper or lower directory from a
nosuid filesystem bypasses this restriction. Change this so
that if any lower or upper directory is nosuid at mount time the
overlayfs superblock is marked nosuid. This requires some
additions at the vfs level since nosuid currently only applies to
mounts, so a SB_I_NOSUID flag is added along with a helper
function to check a path for nosuid in both the mount and the
superblock.
Seth Forshee [Thu, 21 Jan 2016 17:52:04 +0000 (11:52 -0600)]
UBUNTU: SAUCE: overlayfs: Be more careful about copying up sxid files
When an overlayfs filesystem's lowerdir is on a nosuid filesystem
but the upperdir is not, it's possible to copy up an sxid file or
stick directory into upperdir without changing the mode by
opening the file rw in the overlayfs mount without writing to it.
This makes it possible to bypass the nosuid restriction on the
lowerdir mount.
It's a bad idea in general to let the mounter copy up a sxid file
if the mounter wouldn't have had permission to create the sxid
file in the first place. Therefore change ovl_set_xattr to
exclude these bits when initially setting the mode, then set the
full mode after setting the user for the inode. This allows copy
up for non-sxid files to work as before but causes copy up to
fail for the cases where the user could not have created the sxid
inode in upperdir.
Seth Forshee [Tue, 19 Jan 2016 19:12:02 +0000 (13:12 -0600)]
UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
The original mounter had CAP_SYS_ADMIN in the user namespace
where the mount happened, and the vfs has validated that the user
has permission to do the requested operation. This is sufficient
for allowing the kernel to write these specific xattrs, so we can
bypass the permission checks for these xattrs.
To support this, export __vfs_setxattr_noperm and add an similar
__vfs_removexattr_noperm which is also exported. Use these when
setting or removing trusted.overlayfs.* xattrs.
In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
is possible for a user-supplied ipt_entry structure to have a large
next_offset field. This field is not bounds checked prior to writing a
counter value at the supplied offset.
Problem is that xt_entry_foreach() macro stops iterating once e->next_offset
is out of bounds, assuming this is the last entry.
With malformed data thats not necessarily the case so we can
write outside of allocated area later as we might not have walked the
entire blob.
Fix this by simplifying mark_source_chains -- it already has to check
if nextoff is in range to catch invalid jumps, so just do the check
when we move to a next entry as well.
Also, check that the offset meets the xtables_entry alignment.
Reported-by: Ben Hawkes <hawkes@google.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Chris J. Arges <chris.j.arges@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Brad Figg <brad.figg@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
UBUNTU: SAUCE: (no-up) ACPI: Disable Windows 8 compatibility for some Lenovo ThinkPads
The AML implementation for brightness control on several ThinkPads
contains a workaround to meet a Windows 8 requirement of 101 brightness
levels [1]. The implementation is flawed, as only 16 of the brighness
values reported by _BCL affect a change in brightness. _BCM silently
discards the rest of the values. Disabling Windows 8 compatibility on
these machines reverts them to the old behavior, making _BCL only report
the 16 brightness levels which actually work. Add a quirk to do this
along with a dmi callback to disable Win8 compatibility.
Jay Vosburgh [Wed, 11 Nov 2015 13:04:50 +0000 (13:04 +0000)]
UBUNTU: SAUCE: fan: add VXLAN implementation
Generify the fan mapping support and utilise that to implement fan
mappings over vxlan transport.
Expose the existance of this functionality (when the module is loaded)
via an additional sysctl marker.
Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com>
[apw@canonical.com: added feature marker for fan over vxlan.] Signed-off-by: Andy Whitcroft <apw@canonical.com>
Conflicts:
drivers/net/vxlan.c
include/uapi/linux/if_link.h
net/ipv4/ipip.c
Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>