kernel August 2015

kernel@lists.fedoraproject.org

12 participants
8 discussions

Building dell_rbu module
by Major Hayden 02 Jan '16

02 Jan '16

Hey folks, I've rebuilt quite a few Fedora kernels to enable the dell_rbu module for firmware updates on various Dell servers, workstations, and laptops that are running Fedora 21 and 22. Would it be possible to have it enabled in the normal kernel builds? I found a bugzilla ticket[1] referenced in the kernel config[2] that points to some installation issues in Fedora 20. I can't tell if the bug was within dell_rbu or perhaps in systemd-udevd from the ticket. However, I've had success loading the module on various Dell equipment over the last 18 months or so. If we enable it, could we ensure that it's not enabled by default? I wondered if a kernel subpackage would be helpful but that seems a bit like overkill. Thanks! [1] https://bugzilla.redhat.com/show_bug.cgi?id=997149 [2] http://pkgs.fedoraproject.org/cgit/kernel.git/tree/config-x86-generic?h=f22 -- Major Hayden

4 8

kernel.git branch f21/22 - Fix iscsi issue (rhbz 1253789) - Missing ApplyPatch line in kernel.spec
by Donavan Lance 17 Aug '15

17 Aug '15

In the f21 and f22 branch the ApplyPatch line is missing for: #rhbz 1253789 Patch510: iSCSI-let-session-recovery_tmo-sysfs-writes-persist.patch I'm not sure if this was intentional or an oversight due to the "new" way patches are applied in the f23 and master branches. Just thought I'd give a heads up. Cheers, - Donavan Lance

2 2

initramfs vs installer initrd
by Prarit Bhargava 12 Aug '15

12 Aug '15

[This may not be the place to ask this question. If I'm not in the right place could someone point me to the correct list? TIA] I'm wondering about why the rpm kernel install (via dracut) method results in an initramfs but the install targets have an initrd. Is there any technical reason for the difference? Thanks, P.

3 3

[PATCH] kexec/uefi: copy secure boot flag in boot params across kexec reboot
by Dave Young 10 Aug '15

10 Aug '15

Kexec reboot in case secure boot enabled does not keep the secure boot mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. Adding a patch to fix this by retain the secure_boot flag in original kernel. Signed-off-by: Dave Young <dyoung(a)redhat.com> --- kernel.spec | 2 ++ ...uefi-copy-secure_boot-flag-in-boot-params.patch | 30 ++++++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 kexec-uefi-copy-secure_boot-flag-in-boot-params.patch diff --git a/kernel.spec b/kernel.spec index e91ef9d..469a2a2 100644 --- a/kernel.spec +++ b/kernel.spec @@ -587,6 +587,8 @@ Patch505: 0001-dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch #rhbz 1244511 Patch507: HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch +Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch + Patch904: kdbus.patch # END OF PATCH DEFINITIONS diff --git a/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch b/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch new file mode 100644 index 0000000..e239ea9 --- /dev/null +++ b/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch @@ -0,0 +1,30 @@ +From: Dave Young <dyoung(a)redhat.com> + +[PATCH] kexec/uefi: copy secure_boot flag in boot params across kexec reboot + +Kexec reboot in case secure boot being enabled does not keep the secure boot +mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. +In this state, the system is missing the protections provided by secure boot. + +Adding a patch to fix this by retain the secure_boot flag in original kernel. + +secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. +Fixing this issue by copying secure_boot flag across kexec reboot. + +Signed-off-by: Dave Young <dyoung(a)redhat.com> +--- + arch/x86/kernel/kexec-bzimage64.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c +index 9642b9b..0539ec7 100644 +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -178,6 +178,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, + if (efi_enabled(EFI_OLD_MEMMAP)) + return 0; + ++ params->secure_boot = boot_params.secure_boot; + ei->efi_loader_signature = current_ei->efi_loader_signature; + ei->efi_systab = current_ei->efi_systab; + ei->efi_systab_hi = current_ei->efi_systab_hi; -- 1.8.3.1

3 8

[Patch] kernel-tests master: Fix path to ignore-files.sh in sysfs-perms test
by Donavan Lance 04 Aug '15

04 Aug '15

Without this change the sysfs-perms test was failing and printing "ignore-files.sh: command not found" into the kernel-tests log. This patch fixes that error and allows the sysfs-perms test to run. Signed-off-by: Donavan Lance <tusklahoma(a)gmail.com> --- default/sysfs-perms/runtest.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default/sysfs-perms/runtest.sh b/default/sysfs-perms/runtest.sh index 351af76..54c4c28 100755 --- a/default/sysfs-perms/runtest.sh +++ b/default/sysfs-perms/runtest.sh @@ -6,7 +6,7 @@ COUNT=$(find /sys -type f -perm 666 | ./ignore-files.sh | wc -l) if [ "$COUNT" != "0" ]; then echo Found world-writable files in sysfs. - find /sys -type f -perm 666 | ignore-files.sh + find /sys -type f -perm 666 | ./ignore-files.sh exit -1 fi -- 2.4.3

1 0

[PATCH] Always enable mmiotrace when building x86 kernels
by Hans de Goede 04 Aug '15

04 Aug '15

mmiotrace uses the ftrace framework for dynamic patching, so enabling it does not cause any performance impact. Having mmiotrace enabled is very useful for debugging nvidia / nouveau driver problems, as we often use mmiotraces for nouveau development / debugging. Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- config-x86-generic | 1 + kernel.spec | 3 +++ 2 files changed, 4 insertions(+) diff --git a/config-x86-generic b/config-x86-generic index 9ba3354..eb78690 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -66,6 +66,7 @@ CONFIG_CAPI_EICON=y # CONFIG_X86_MPPARSE=y # CONFIG_X86_VERBOSE_BOOTUP is not set +CONFIG_MMIOTRACE=y # CONFIG_MMIOTRACE_TEST is not set # CONFIG_DEBUG_PER_CPU_MAPS is not set CONFIG_DEBUG_RODATA=y diff --git a/kernel.spec b/kernel.spec index 4ccceec..cdb59d4 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2025,6 +2025,9 @@ fi # %changelog * Tue Aug 04 2015 Hans de Goede <hdegoede(a)redhat.com> +- Always enable mmiotrace when building x86 kernels + +* Tue Aug 04 2015 Hans de Goede <hdegoede(a)redhat.com> - Move joydev.ko from kernel-modules-extra to kernel-modules * Mon Aug 03 2015 Josh Boyer <jwboyer(a)fedoraproject.org> -- 2.4.3

2 1

[PATCH] Move joydev.ko from kernel-modules-extra to kernel-modules
by Hans de Goede 04 Aug '15

04 Aug '15

Unlike the other joystick modules joydev is not just needed for old analog joysticks, but also to provide /dev/js? devices with new usb connected joysticks. Many games still use the (old) /dev/js interface, and will not work ootb unless kernel-modules-extra is installed. Moving jodev.ko to the main kernel package fixes this. Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- kernel.spec | 3 +++ mod-extra.list | 1 - 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel.spec b/kernel.spec index 32d084f..4ccceec 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2024,6 +2024,9 @@ fi # # %changelog +* Tue Aug 04 2015 Hans de Goede <hdegoede(a)redhat.com> +- Move joydev.ko from kernel-modules-extra to kernel-modules + * Mon Aug 03 2015 Josh Boyer <jwboyer(a)fedoraproject.org> - Fix i386 boot bug correctly (rhbz 1247382) - CVE-2015-5697 info leak in md driver (rhbz 1249011 1249013) diff --git a/mod-extra.list b/mod-extra.list index 9794fef..cf957d4 100644 --- a/mod-extra.list +++ b/mod-extra.list @@ -105,7 +105,6 @@ w6692.ko avma1_cs.ko elsa_cs.ko hfc4s8s_l1.ko -joydev.ko a3d.ko adi.ko analog.ko -- 2.4.3

2 1

[PATCH] Add 10-yama-ptrace.conf (rhbz 1209492)
by Mark Wielaard 03 Aug '15

03 Aug '15

This fixes the yama bug #1209492 but lets administrators still add extra restrictions if desired. This patch should apply as is against both f22 and master. --- 10-yama-ptrace.conf | 30 ++++++++++++++++++++++++++++++ kernel.spec | 11 +++++++++++ 2 files changed, 41 insertions(+) create mode 100644 10-yama-ptrace.conf diff --git a/10-yama-ptrace.conf b/10-yama-ptrace.conf new file mode 100644 index 0000000..bcf0e69 --- /dev/null +++ b/10-yama-ptrace.conf @@ -0,0 +1,30 @@ +# The ptrace system call is used for interprocess services, communication +# and introspection (like synchronisation, signaling, debugging, tracing +# and profiling) of processes. +# +# Usage of ptrace is restricted by normal user permissions. Normal +# unprivileged processes cannot interact through ptrace with processes +# that they cannot send signals to or processes that are running set-uid +# or set-gid. +# +# yama ptrace scope can be used to reduce these permissions even more. +# This should normally not be done because it will break various programs +# relying on the default ptrace security restrictions. But can be used +# if you don't have any other way to separate processes in their own +# domains. A different way to restrict ptrace is to set the selinux +# deny_ptrace boolean. Both mechanisms will break some programs relying +# on the ptrace system call and might force users to elevate their +# priviliges to root to do their work. +# +# For more information see Documentation/security/Yama.txt in the kernel +# sources. +# +# This runtime kernel parameter can be set to the following options: +# (Note that setting this to anything except zero will break programs!) +# +# 0 - Normal ptrace security permissions. +# 1 - Restricted ptrace. Only child processes plus normal permissions. +# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE. +# 3 - No attach. No process may call ptrace at all. Irrevocable. +# +kernel.yama.ptrace_scope = 0 diff --git a/kernel.spec b/kernel.spec index dfc4500..87efd85 100644 --- a/kernel.spec +++ b/kernel.spec @@ -460,6 +460,9 @@ Source1000: config-local Source2000: cpupower.service Source2001: cpupower.config +# Default sysctl files +Source3000: 10-yama-ptrace.conf + # Here should be only the patches up to the upstream canonical Linus tree. # For a stable release kernel @@ -1711,6 +1714,10 @@ BuildKernel() { rm -rf $RPM_BUILD_ROOT/lib/modules/$KernelVer/vdso/.build-id %endif + # Install default sysctl settings. + %{__install} -D -m 444 %{SOURCE3000} \ + $RPM_BUILD_ROOT%{_sysctldir}/10-yama-ptrace-$KernelVer.conf + # And save the headers/makefiles etc for building modules against # # This all looks scary, but the end result is supposed to be: @@ -2342,6 +2349,7 @@ fi /lib/modules/%{KVERREL}%{?2:+%{2}}/vdso\ /etc/ld.so.conf.d/kernel-%{KVERREL}%{?2:+%{2}}.conf\ %endif\ +%config(noreplace) %{_sysctldir}/10-yama-ptrace-%{KVERREL}%{?2:+%{2}}.conf\ /lib/modules/%{KVERREL}%{?2:+%{2}}/modules.*\ %{expand:%%files -f kernel-%{?2:%{2}-}modules.list %{?2:%{2}-}modules}\ %defattr(-,root,root)\ @@ -2375,6 +2383,9 @@ fi # # %changelog +* Thu Jun 23 2015 Mark Wielaard <mjw(a)redhat.com> +- Add 10-yama-ptrace.conf (rhbz 1209492) + * Thu Jun 18 2015 Josh Boyer <jwboyer(a)fedoraproject.org> - Add patch to fix touchpad issues on Razer machines (rhbz 1227891) -- 2.4.3

4 13

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

kernel August 2015