Permit overlayfs mounts within user namespaces to allow utilisation of e.g.
unprivileged LXC overlay snapshots.
Except by the Ubuntu community [1], overlayfs mounts in user namespaces are
expected to be a security risk [2] and thus are not enabled on upstream
Linux kernels. For the non-Ubuntu users that have to stick to unprivileged
overlay-based LXCs, this meant to patch and compile the kernel manually.
Instead, adding the kernel tainting 'permit_mounts_in_userns' module
parameter allows a kind of a user-friendly way to enable the feature.
Testable with:
sudo modprobe overlay permit_mounts_in_userns=1
sudo sysctl -w kernel.unprivileged_userns_clone=1
mkdir -p lower upper work mnt
unshare --map-root-user --mount \
mount -t overlay none mnt \
-o lowerdir=lower,upperdir=upper,workdir=work
[1]: Ubuntu allows unprivileged mounting of overlay filesystem
https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html
[2]: User namespaces + overlayfs = root privileges
https://lwn.net/Articles/671641/
Signed-off-by: Nicolas Schier <nicolas@fjasle.eu>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAlv18cwACgkQ57/I7JWG
EQnmrBAA0cIq67bC0g/calV1FyAnByc88h15W2BCN8+dD25PKRlsRsbSvQLx/E6J
mEwPMu6bw/yJuIA8ADTFpjh4CmulBhQMC/cpQHy82F5umt/wNAPlhryDc0n96eRX
bJfh3dzboyFEWBOSUgb6EWEdWZX1tMblf4ZpX1LfP5L/pJyq/Jz1xrpz31nGcz9E
2m4mpovTAT2N34I9FF9PSuaYlPxljU/eZe7wyDmM+leMnmV4MGEOpV+CMNEohLsp
8APxTJim6ZJXJ4ppl/Qk7yW1glTL3q5OqI+s5YB4RBKI4KBN/N3FF0PwWQ+L76bj
B6b3nKT4PZA4V6Y6OEY8Q53NxjHmRJo5opG9Xp3Kr4HO0PZHH9Ih/YApaZipSDLg
t3i/C05I/Jss2e6FZ5Ocx9L/nhzoEv9Lt0K2P6nxMJgc5U7lcTaiehcrVqQ2oBhO
QZoEwUh9G8p5dnll/MTf3nj4UzZOimr2RSpktNT8w4kBEVAFFfZL5hGdk1UmBQTu
peAPksjndtfjWvvzlhnWu3JoFMZ+J5yA8l7t8HwKI5yIlfJaM4QbjOb8YqsZQRNR
qUxXxgn85o7QdSlCX/JFSK5fBxRphZHDtyWt9wTp1Ko0PjNtHLGv2oWj+SdvrJWu
X0otIjqlEMMVCcZDlrzXboU6Cxae9FGXk6yzM5QfE1/D7F4tEuI=
=E5AV
-----END PGP SIGNATURE-----
Merge tag 'debian/4.18.20-1'
Release linux (4.18.20-1).
* [rt] Drop all changes from 4.18-rt
* Drop added patches which are already in 4.19
* Drop ABI bump
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAluyLtYACgkQ57/I7JWG
EQkvcBAAl2AxUxQKDRyS4mgohOa881NpHGdwfcxIXyEVIsPVVtUE+Dg5dzGku/J2
C1iA6R8tbOZuxOWQbNkGTFZml3JjfcikH21EGD1aqq5z1PmRudA/XBXdl2aItMUi
lV6HMQcG4GWTjMC/cwrxW5D7rrIqGfp+CCAiACheGbK7mrwAwpioCP3u4JUQm0+F
kGU4znfQbCScXtoegAwRBHB5nUWRbKZMHMe4vNgVl4Na5wTy4dL4Eh3qWulwOzGx
94OiJPsV9thctA6vusqrub5DpABjQveDPJyHt2EgvAt2W8MrE/NUiU+4ol2tTNcT
Ev4P66Jz2bmr3pisx5Cz+3fUXcesrllvWJx5RxPV8f4gCj4/A3zNNz0UdcqcIR/h
ptTMM9fDC8srz6bnKSYWSii3cmnxMVx5OjNztaoeJMFY6M7rn58rW9e53pkVWeJf
eKZ27T7RvNMoGDr99u10ca+zb8qBygxQBQea1rKL49T2Jl/5ROkkPvoQ0SNT5kIe
DL9Z7MDwBI5H5kQW7e9jCiOH65PG/DeVwddko3FeHQy9INxgd6toKiiU0HM4U+8Y
lsUbuAHRHeVsuLQ1U5YTFHrG56CjqYeU10A7UnxRbqvIOd2MTfp/4fAcM4X+15yZ
2Q1MRd/fCXIlRBMGfGRnNMX9327/I+XQ8kamktE5H55JWF+KyeI=
=eMi7
-----END PGP SIGNATURE-----
Merge tag 'debian/4.18.10-1'
Release linux (4.18.10-1).
- Drop new patches that are already included upstream
- Keep ABI number set to "trunk"
- Refresh arm64 APEI workaround patch for 4.19
This updates the debian changelog for listing changes of this stable
update. It also removes patches applied upstream and refreshes a patch
that is part of 4.18.7-rt5.
This updates the debian changelog for listing changes of this stable
update. It also removes patches applied upstream and refreshes a patch
that is part of 4.18.7-rt5.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAluhDZUACgkQ57/I7JWG
EQkLvQ//QqqAfJXjwZt3Iy+dcYieLqmhy4/KtjVvFP8EKSyfdeWl0awb3szbmMs5
cy2p5q17mafVZTx9MCppp4y1modMBZrMC6hmB9UAoU0j1GnKHNbtddzA3+uo1dmw
i2LudGseb8LSL5z6g95P4SozSNNeFPIOLSYxkGVnlG3sUdlhlRYCvYf9k8BKUEbx
sU0yDXQOhf0kBLsRXW8QfJEBHv5ivr9/Q+s9e71NUpVWaEOZwgfJacM/QWcY8+J4
2o0XlHtS9+r0Ik0RK5Zyt8eun1sH1cb4Lta9LZjvRLWpCqXNpPSus6V8qENngcyw
X9ZGWi3nMiR4OOuEMGMxbzXXzWreg9MNPyM5/kVfJKlsLi1xP7ufhnstR+j2/tTJ
guVLDw73B4RyOwH2p4Kh1Pk0hACagI9AeKfjSBTMMlv2rD6FDfuJlSgEYUIK/NLl
lsefkkKu2EZVdhIBEGDnu80+V2AuoTYXpEknvbnvlYZ1wLNXb73GIFptWu18dfOy
fZ4cEWDxuKd52nbsjKlQmaxlFGSfjmmWliorhrU84FZsRjvFARGWWPwnjk8fwcpD
+D0GASqx37iw1gQK8yNQER3dxHzVh1blIKhADgEWJXsaeHcfyDHziShX7FZ8n6G5
HQBaynaG0Qc9fWd8O6xmX6wsP/vGRFJchbWwa5Gd7L2cCmur1Vk=
=lopf
-----END PGP SIGNATURE-----
Merge tag 'debian/4.18.8-1'
Release linux (4.18.8-1).
- Drop ABI reference files and ABI maintenance patch
- Replace ccp driver patch with upstream version that applies to 4.19
Fixes lintian warning patch-file-present-but-not-mentioned-in-series.
Also preparation for using dgit, which will remove everything except
the main patch series under debian/patches.
Rename them to genpatch-{aufs,lockdown,rt}
Fixes lintian warning patch-file-present-but-not-mentioned-in-series.
Also preparation for using dgit, which will remove everything except
the main patch series under debian/patches.
-----BEGIN PGP SIGNATURE-----
iQKmBAABCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlt4FyhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EitQQAJ4S3n+2azIKz50gfxon0dgS9ybXRxeb
2Hk/FzBXqFduVhWe9vVuZdE4ko5QsQ8ht2HR726kcEkud8pFOh0pt/7Q67IQHbQN
t/hD3C2C6M8pKhwBEwuSZtRqsruqv3qll95xbwIqW7AWP+/AODQltzgB0AplpC6a
8ED1nCxutDI0WrzN76UcfYxa1slRJ9sRfh+KRWQSEsU+jCSP0aD0rArYVeppXGaR
cAy5Xku7237hFdeIzlt6goHuvfDuSlbAxpuaF944TVFtmPYwe7W+S3rRSy0OtjQY
WzdSsIKXlXVMkMJD4t3ybFUMOyHP/jT79Tem0kp8EBn8NcPjtnLJYLiODVR0PH3A
5XOEzR3NLGspDxkEJWdq/7IsLL4a7wVLAYn5VbkRVzo2Jxp6IpSqPrFjYwdf/KMF
PizvbJtHTQxGFk6jPdCG+DV9hBrMOzXedcqH24qZ4yr6xUOj5WICR3+9E57DYLwH
oJzXef8BKhx4MdkDduduyWcyWJvlH2nBae2T+q+4mwfI/I+8PeyUDnSc7Hmzx1Cc
feeeccvQPrhnu8HAE0RmfF1YhfyXXq3GQEt4MaV5Z2h6aAS1zxm1EhBueJMeaEhh
i6oldiPDd2qHX9rZXYLvUx109qLyTiqxbzCgJCAF3s8Bk7P/Aj/0mDADo7d5V0TY
KsXydFzhoiTZ
=Qmdt
-----END PGP SIGNATURE-----
Merge tag 'debian/4.17.17-1'
Release linux (4.17.17-1).
- Drop "gpu: host1x: Fix compiler errors by converting to dma_addr_t"
which is already in 4.18
- Drop ABI reference files and ABI number change
Drop x86-l1tf-fix-build-error-seen-if-config_kvm_intel-is-disabled.patch
Drop x86-i8259-add-missing-include-file.patch
Drop bluetooth-hidp-buffer-overflow-in-hidp_process_report.patch
Cleanup debian/changelog file
I converted the main patch series to quilt format in 3.2.20-1, but
this patch system was still used by genorig.py. One useful
feature that was not available elsewhere was using patch + unifdef
to exclude only part of a source file. However no source files
have needed this since 3.16-rc4 and I don't expect this to ever
be needed again.
The preceding changes moved the file removal/exclusion list into
debian/copyright and the disabling of broken features into the
main patch series, so the private patch system isn't doing
anything.
So we can now remove it completely.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAltL4ZwACgkQ57/I7JWG
EQniUw//V7Vhq6IQ5FKEg+UHcI8b12GhOVWWVJoReQErFllaIkSOJax6GDXo9UYa
EQ+xezR902ze99eetQfqJFqNm/fu9qi9Lc/Na3dIztFTkbonQmOOF5y5uM129wBi
l8WKrcnGY175yuN2aQDgRZtZgMWvNy7pbreDX3i5WliOKiOYbG7ZaJvdSEQ12CjJ
lnVctItwOhDqgXGoW8nW7YxC3Awi25Rk2dZNQNSVfa3Lq9DAA1HXsNVM7/jdMzv8
OVE32Srq2LsWqt+dK0sARKCucVXZRDTWEjie32ZxyAISUYkuzxmLOpmfYXS+CVtj
7gIe6nBPX1mnXSHh1CvFGJrHRDfKAtq7gfHoBSg255quuBYY9btCneVV/ebCuFR3
OSmupwF74Kt6QMhDpe322SFQD/40gH2OEATRzgzNjaJFnWwDTx78EZIu7/SHul9g
k6YKRyK03bGgfeTeEzsVwXUj71Fh8oF22kk1ViYpDMSEKu3xOB71poDwGmP+e11U
rH3IV+F5ECzfiekNsbehPabG7dyY/t1TIGBmu+7rnK75EDCQzFfOI0MXEJCJG5X2
c6QUBXcz8ygvR7Zec9kw4YeBRuDvUv4sXf8516kMc2dSwf7JY+BYyy+9Knb9Gy67
K/Tw/4keQIgzjg52g9GxqVqI4N/DknWoe1FT3xU4uuLIgYkEilA=
=JUfi
-----END PGP SIGNATURE-----
Merge tag 'debian/4.17.6-2'
Release linux (4.17.6-2).
- Drop the ABI maintenance patch
- Resolve conflict between changes to config file generation in sid
(delete CONFIG_BUILD_SALT) and master (putting them in
arch-dependent packages)
Closes: #872263
- kbuild: Add build salt to the kernel and modules
- [arm64,powerpc,x86] Add build salt to the vDSO
- Set BUILD_SALT equal to the release string
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAltG0zUACgkQ57/I7JWG
EQlb3Q//auZ2SJEu0MV/X+Mu7vjoUNZhi5VlPC2GBZaClEjrRG6iW0n2bO7fC1jd
H8HSfVXy9F3vPiTUcMXyKq6vosLh/9Ie7jH1fGOCBoT7YbLcuoVmAPpAePOv6qTX
gPdtWUvCT8lTviBX8LSFOG8zBewfcocU8MvNjIGKfu2b0CNykq5Z+yg9P7OAHaTt
cfUU44v91YYwn8eo1Asi909kK73IO0V3SpIPUvgv5K2shCS44xKI19F2FIOuWRuD
2COH0pSTV1oEjRGtkOJOzQqpEmO3sHZZfAUQTrKzxpTv43NzK80c148sd7/u6Hp1
c+CszjeI3RJSX/YDie5noyL4BfYxXb+NGcLa41YOr2l1MM01fDOxKk1L/2imr1kV
Ic73KR5h1fOD3JZmVTRwFpBgrxI9tNBQ7LP2fP666DqvMolRwr8vL5UvTqIF67l9
uf/765rIgOhg6gwW9GghbuN08gMUfB8DTlsJerNbh1LKLZ8uN+7HzXoYjn44IINn
Gbp09tQEx3lBl55zLH80MRUlo+mWlpxL2krDGrBTc/QxxDofl4ag+aRYTNmUut2+
b54PEEpe2H1h6poMVOIjQlwvhKlWEez+8Syh8XKab0ZnMHipf316pX9UMAJIBtyb
3iTjqMCgNQuraSzKT8/PfrMSV6HGfDN2FQo1vSf3kCQuigFsrA8=
=VAyl
-----END PGP SIGNATURE-----
Merge tag 'debian/4.17.6-1'
Release linux (4.17.6-1).
- Drop patches for ABI maintenance or that are already upstream
- Drop ABI reference files
The real problem was not that there were two rules, but that the first
rule didn't work for out-of-tree builds.
After I disabled the second rule, "make man" still succeeded because
of another rule (with no commands) that made all man pages depend on
asciidoc.conf.
This updates the debian changelog for listing changes of this stable
update. It also removes the patches that have been merged upstream.
Signed-off-by: Romain Perier <romain.perier@gmail.com>
binder.c and binder_alloc.c both define a debug_mask module parameter,
which was fine when they were two separate built-in "modules". Now
that they're grouped together we need to distinguish these parameters,
so rename the one in binder_alloc.c to alloc_debug_mask.
We no longer need to add the crypto-aes or crypto-ecb dependencies
because ext4 uses the common encryption code in fscrypto (and has a
regular symbol dependency on it).
Since upstream added a softdep on "crc32c", we don't actually need to
change ext4 at all now. But let's replace it with "crypto-crc32c",
since that's the module alias the crypto subsystem will actually
request and is consistent with the softdep we add to other
filesystems.
Add a patch to disable uImage generation to avoid depend on u-boot-tools
Fix typo the EL's flavor names in installer: not same within defines
Malta is never used for r6. (Closes: #898523)
Boston also requires relocation table size >= 0x00121000
Refresh bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
Drop patches applied upstream related to CVE-2018-1093
Cleanup debian/changelog entries
- Drop patches included upstream
- Drop "Don't WARN about expected W+X pages on Xen"; the problem appears
to have been fixed by upstream commits 2cc42bac1c ("x86-64/Xen: eliminate
W+X mappings") and 672c0ae09b33 ("x86/mm: Consider effective protection
attributes in W+X check")
- Drop "Kbuild: kconfig: Verbose version of --listnewconfig"; it seems
redundant with upstream commit 17baab68d337 ("kconfig: extend output of
'listnewconfig'")
- Drop lockdown patch to drivers/scsi/eata.c; the driver was removed
upstream
- Refresh various other patches
- Drop patches already in 4.16
- Overwrite changes on master to debian/installer, which were also
applied on sid and then changed
- [x86] Fix up dell_smbios configuration; now it's a single driver
selected by DELL_SMBIOS, with DELL_SMBIOS_{SMM,WMI} being boolean
options
- Clean up configuration with kconfigeditor2
Add CVE ids for two issues fixed in 4.15.10
Drop bugfix/all/scsi-core-Avoid-that-ATA-error-handling-can-trigger-.patch
Drop bugfix/all/nospec-kill-array_index_nospec_mask_check.patch
Cleanup debian/changelog file
Commit 1df9e416e647 "Kbuild: always define endianess in kconfig.h"
fixed several cases where some types (and inline functions) might not
be correctly defined according to the host byte order. It might be
possible to avoid an ABI bump, but it would require a lot of work.
Also, the problem may affect OOT modules that therefore should be
rebuilt with the fix.
Drop media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
Drop media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
Drop media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
Cleanup Debian changelog for 4.15.4
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAlpb7AUACgkQ57/I7JWG
EQmfjhAArIzynB9B8lG9U8OlC7bp+HTjk9BgOKo5VZ6ABlIePxveUgkc44kYK1ET
YGiqpi1BbMPoDiu32QyuCzYwxNjUl6dXCOKnUgsTR0jyKSXoc19idWLb/U5akXxF
Q1LWUaBWB/SbR52inAE8nX2s1tdgFjKDHgebAOdbPApt8eTnI4pSL1YvehDQtqG1
olz3L1PjlRhT2XCdtWIPrLioIxUiOacYGV7sMZHL2jsJS+mmf20BiUMsfusafL2r
Q8LSVGCQRgWutbTZW2YmFtx0FybxYc8wRj/9d7nYMaOv+UeFbx6ffYrkZUqXlK4j
TkVsFULVoEfgnu9GkWnd+kdJP8PwbDkrjk1JsXg55A0LCrfFcorbMQc8GCJ6ICpu
mFqw5NQaxQZszP6W0dYWHWJTLENOVxjYyoMjmLuQIMudzHP4bGTXjJ/PCBebT5fR
6XOPdqcWoOT5f8NloMFqzPQQeFQMY+DycYiz2tdYxH4AnvGsgdOLFiHHYxxIsOa1
Bzxb4bWxF2m3hKiyY5am/5U6MAxLrBwsvLZVklyfxYSRlvnPldKVHohzHTZafPSo
M7KU4R1e6wywwjg9Qtk4YJBX5w0jT3b9vbVQVNT47WzvLwXA/TY+Il6BIAVuzL57
MJAosU9SDAf28XUVzcaXbsHm9l2gcnUS6kCVVWTEvmehkW1rR3o=
=M11J
-----END PGP SIGNATURE-----
Merge tag 'debian/4.14.13-1'
Release linux (4.14.13-1).
- Drop ABI reference
- Drop/refresh patches as necessary
- linux-headers: Drop versioned dependency on linux-kbuild, as there has not
been any version of linux-kbuild-4.15 without objtool