diff options
Diffstat (limited to '')
39 files changed, 2956 insertions, 0 deletions
diff --git a/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch b/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch new file mode 100644 index 000000000..3f6baa5dc --- /dev/null +++ b/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch @@ -0,0 +1,99 @@ +From: Serge Hallyn <serge.hallyn@canonical.com> +Date: Fri, 31 May 2013 19:12:12 +0000 (+0100) +Subject: add sysctl to disallow unprivileged CLONE_NEWUSER by default +Origin: http://kernel.ubuntu.com/git?p=serge%2Fubuntu-saucy.git;a=commit;h=5c847404dcb2e3195ad0057877e1422ae90892b8 + +add sysctl to disallow unprivileged CLONE_NEWUSER by default + +This is a short-term patch. Unprivileged use of CLONE_NEWUSER +is certainly an intended feature of user namespaces. However +for at least saucy we want to make sure that, if any security +issues are found, we have a fail-safe. + +Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> +[bwh: Remove unneeded binary sysctl bits] +--- +Index: linux/kernel/fork.c +=================================================================== +--- linux.orig/kernel/fork.c ++++ linux/kernel/fork.c +@@ -103,6 +103,11 @@ + + #define CREATE_TRACE_POINTS + #include <trace/events/task.h> ++#ifdef CONFIG_USER_NS ++extern int unprivileged_userns_clone; ++#else ++#define unprivileged_userns_clone 0 ++#endif + + /* + * Minimum number of threads to boot the kernel +@@ -1675,6 +1680,10 @@ static __latent_entropy struct task_stru + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -2504,6 +2513,12 @@ int ksys_unshare(unsigned long unshare_f + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +Index: linux/kernel/sysctl.c +=================================================================== +--- linux.orig/kernel/sysctl.c ++++ linux/kernel/sysctl.c +@@ -105,6 +105,9 @@ extern int core_uses_pid; + extern char core_pattern[]; + extern unsigned int core_pipe_limit; + #endif ++#ifdef CONFIG_USER_NS ++extern int unprivileged_userns_clone; ++#endif + extern int pid_max; + extern int pid_max_min, pid_max_max; + extern int percpu_pagelist_fraction; +@@ -515,6 +518,15 @@ static struct ctl_table kern_table[] = { + .mode = 0644, + .proc_handler = proc_dointvec, + }, ++#endif ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, + #endif + #ifdef CONFIG_PROC_SYSCTL + { +Index: linux/kernel/user_namespace.c +=================================================================== +--- linux.orig/kernel/user_namespace.c ++++ linux/kernel/user_namespace.c +@@ -26,6 +26,9 @@ + #include <linux/bsearch.h> + #include <linux/sort.h> + ++/* sysctl */ ++int unprivileged_userns_clone; ++ + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); + diff --git a/debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch b/debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch new file mode 100644 index 000000000..8726519ad --- /dev/null +++ b/debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch @@ -0,0 +1,31 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Fri, 19 Nov 2010 02:12:48 +0000 +Subject: [PATCH 2/3] af_802154: Disable auto-loading as mitigation against local exploits +Forwarded: not-needed + +Recent review has revealed several bugs in obscure protocol +implementations that can be exploited by local users for denial of +service or privilege escalation. We can mitigate the effect of any +remaining vulnerabilities in such protocols by preventing unprivileged +users from loading the modules, so that they are only exploitable on +systems where the administrator has chosen to load the protocol. + +The 'af_802154' (IEEE 802.15.4) protocol is not widely used, was +not present in the 'lenny' kernel, and seems to receive only sporadic +maintenance. Therefore disable auto-loading. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/ieee802154/socket.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +Index: linux/net/ieee802154/socket.c +=================================================================== +--- linux.orig/net/ieee802154/socket.c ++++ linux/net/ieee802154/socket.c +@@ -1144,4 +1144,4 @@ module_init(af_ieee802154_init); + module_exit(af_ieee802154_remove); + + MODULE_LICENSE("GPL"); +-MODULE_ALIAS_NETPROTO(PF_IEEE802154); ++/* MODULE_ALIAS_NETPROTO(PF_IEEE802154); */ diff --git a/debian/patches/debian/android-enable-building-ashmem-and-binder-as-modules.patch b/debian/patches/debian/android-enable-building-ashmem-and-binder-as-modules.patch new file mode 100644 index 000000000..da02e00e0 --- /dev/null +++ b/debian/patches/debian/android-enable-building-ashmem-and-binder-as-modules.patch @@ -0,0 +1,97 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Fri, 22 Jun 2018 17:27:00 +0100 +Subject: android: Enable building ashmem and binder as modules +Bug-Debian: https://bugs.debian.org/901492 + +We want to enable use of the Android ashmem and binder drivers to +support Anbox, but they should not be built-in as that would waste +resources and increase security attack surface on systems that don't +need them. + +- Add a MODULE_LICENSE declaration to ashmem +- Change the Makefiles to build each driver as an object with the + "_linux" suffix (which is what Anbox expects) +- Change config symbol types to tristate + +--- +Index: linux/drivers/android/Kconfig +=================================================================== +--- linux.orig/drivers/android/Kconfig ++++ linux/drivers/android/Kconfig +@@ -9,7 +9,7 @@ config ANDROID + if ANDROID + + config ANDROID_BINDER_IPC +- bool "Android Binder IPC Driver" ++ tristate "Android Binder IPC Driver" + depends on MMU + default n + ---help--- +Index: linux/drivers/android/Makefile +=================================================================== +--- linux.orig/drivers/android/Makefile ++++ linux/drivers/android/Makefile +@@ -1,4 +1,5 @@ + ccflags-y += -I$(src) # needed for trace events + +-obj-$(CONFIG_ANDROID_BINDER_IPC) += binder.o binder_alloc.o +-obj-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o ++obj-$(CONFIG_ANDROID_BINDER_IPC) += binder_linux.o ++binder_linux-y := binder.o binder_alloc.o ++binder_linux-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o +Index: linux/drivers/staging/android/Kconfig +=================================================================== +--- linux.orig/drivers/staging/android/Kconfig ++++ linux/drivers/staging/android/Kconfig +@@ -3,7 +3,7 @@ menu "Android" + if ANDROID + + config ASHMEM +- bool "Enable the Anonymous Shared Memory Subsystem" ++ tristate "Enable the Anonymous Shared Memory Subsystem" + default n + depends on SHMEM + help +Index: linux/drivers/staging/android/Makefile +=================================================================== +--- linux.orig/drivers/staging/android/Makefile ++++ linux/drivers/staging/android/Makefile +@@ -2,5 +2,6 @@ ccflags-y += -I$(src) # needed for tra + + obj-y += ion/ + +-obj-$(CONFIG_ASHMEM) += ashmem.o ++obj-$(CONFIG_ASHMEM) += ashmem_linux.o ++ashmem_linux-y += ashmem.o + obj-$(CONFIG_ANDROID_VSOC) += vsoc.o +Index: linux/drivers/staging/android/ashmem.c +=================================================================== +--- linux.orig/drivers/staging/android/ashmem.c ++++ linux/drivers/staging/android/ashmem.c +@@ -24,6 +24,7 @@ + #include <linux/bitops.h> + #include <linux/mutex.h> + #include <linux/shmem_fs.h> ++#include <linux/module.h> + #include "ashmem.h" + + #define ASHMEM_NAME_PREFIX "dev/ashmem/" +@@ -924,3 +925,5 @@ out: + return ret; + } + device_initcall(ashmem_init); ++ ++MODULE_LICENSE("GPL v2"); +Index: linux/drivers/android/binder_alloc.c +=================================================================== +--- linux.orig/drivers/android/binder_alloc.c ++++ linux/drivers/android/binder_alloc.c +@@ -44,7 +44,7 @@ enum { + }; + static uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR; + +-module_param_named(debug_mask, binder_alloc_debug_mask, ++module_param_named(alloc_debug_mask, binder_alloc_debug_mask, + uint, 0644); + + #define binder_alloc_debug(mask, x...) \ diff --git a/debian/patches/debian/arch-sh4-fix-uimage-build.patch b/debian/patches/debian/arch-sh4-fix-uimage-build.patch new file mode 100644 index 000000000..d9c651ccb --- /dev/null +++ b/debian/patches/debian/arch-sh4-fix-uimage-build.patch @@ -0,0 +1,20 @@ +From: Nobuhiro Iwamatsu <iwamatsu@nigauri.org> +Subject: [sh4] Fix uImage build +Bug-Debian: https://bugs.debian.org/569034 +Forwarded: not-needed + +[bwh: This was added without a description, but I think it is dealing +with a similar issue to powerpcspe-omit-uimage.patch] + +Index: linux/arch/sh/Makefile +=================================================================== +--- linux.orig/arch/sh/Makefile ++++ linux/arch/sh/Makefile +@@ -89,7 +89,6 @@ OBJCOPYFLAGS := -O binary -R .note -R .n + + # Give the various platforms the opportunity to set default image types + defaultimage-$(CONFIG_SUPERH32) := zImage +-defaultimage-$(CONFIG_SH_SH7785LCR) := uImage + defaultimage-$(CONFIG_SH_RSK) := uImage + defaultimage-$(CONFIG_SH_URQUELL) := uImage + defaultimage-$(CONFIG_SH_MIGOR) := uImage diff --git a/debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch b/debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch new file mode 100644 index 000000000..5be1b26a7 --- /dev/null +++ b/debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch @@ -0,0 +1,37 @@ +From: Adam Borowski <kilobyte@angband.pl> +Date: Tue, 28 Mar 2017 16:55:05 +0200 +Subject: btrfs: warn about RAID5/6 being experimental at mount time +Bug-Debian: https://bugs.debian.org/863290 +Origin: https://bugs.debian.org/863290#5 + +Too many people come complaining about losing their data -- and indeed, +there's no warning outside a wiki and the mailing list tribal knowledge. +Message severity chosen for consistency with XFS -- "alert" makes dmesg +produce nice red background which should get the point across. + +Signed-off-by: Adam Borowski <kilobyte@angband.pl> +[bwh: Also add_taint() so this is flagged in bug reports] +--- + fs/btrfs/disk-io.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +Index: linux/fs/btrfs/disk-io.c +=================================================================== +--- linux.orig/fs/btrfs/disk-io.c ++++ linux/fs/btrfs/disk-io.c +@@ -3089,6 +3089,15 @@ retry_root_backup: + btrfs_set_and_info(fs_info, SSD, "enabling ssd optimizations"); + } + ++ if ((fs_info->avail_data_alloc_bits | ++ fs_info->avail_metadata_alloc_bits | ++ fs_info->avail_system_alloc_bits) & ++ BTRFS_BLOCK_GROUP_RAID56_MASK) { ++ btrfs_alert(fs_info, ++ "btrfs RAID5/6 is EXPERIMENTAL and has known data-loss bugs"); ++ add_taint(TAINT_USER, LOCKDEP_STILL_OK); ++ } ++ + /* + * Mount does not set all options immediately, we can do it now and do + * not have to wait for transaction commit diff --git a/debian/patches/debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch b/debian/patches/debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch new file mode 100644 index 000000000..57e118698 --- /dev/null +++ b/debian/patches/debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch @@ -0,0 +1,29 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: cdc_ncm,cdc_mbim: Use NCM by default +Date: Sun, 31 Mar 2013 03:58:04 +0100 +Forwarded: not-needed + +Devices that support both NCM and MBIM modes should be kept in NCM +mode unless there is userland support for MBIM. + +Set the default value of cdc_ncm.prefer_mbim to false and leave it to +userland (modem-manager) to override this with a modprobe.conf file +once it's ready to speak MBIM. + +--- +Index: linux/drivers/net/usb/cdc_ncm.c +=================================================================== +--- linux.orig/drivers/net/usb/cdc_ncm.c ++++ linux/drivers/net/usb/cdc_ncm.c +@@ -53,11 +53,7 @@ + #include <linux/usb/cdc.h> + #include <linux/usb/cdc_ncm.h> + +-#if IS_ENABLED(CONFIG_USB_NET_CDC_MBIM) +-static bool prefer_mbim = true; +-#else + static bool prefer_mbim; +-#endif + module_param(prefer_mbim, bool, 0644); + MODULE_PARM_DESC(prefer_mbim, "Prefer MBIM setting on dual NCM/MBIM functions"); + diff --git a/debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch b/debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch new file mode 100644 index 000000000..9f0e897c7 --- /dev/null +++ b/debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch @@ -0,0 +1,45 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Thu, 16 Feb 2017 19:09:17 +0000 +Subject: dccp: Disable auto-loading as mitigation against local exploits +Forwarded: not-needed + +We can mitigate the effect of vulnerabilities in obscure protocols by +preventing unprivileged users from loading the modules, so that they +are only exploitable on systems where the administrator has chosen to +load the protocol. + +The 'dccp' protocol is not actively maintained or widely used. +Therefore disable auto-loading. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +Index: linux/net/dccp/ipv4.c +=================================================================== +--- linux.orig/net/dccp/ipv4.c ++++ linux/net/dccp/ipv4.c +@@ -1079,8 +1079,8 @@ module_exit(dccp_v4_exit); + * values directly, Also cover the case where the protocol is not specified, + * i.e. net-pf-PF_INET-proto-0-type-SOCK_DCCP + */ +-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6); +-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6); ++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6); */ ++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6); */ + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>"); + MODULE_DESCRIPTION("DCCP - Datagram Congestion Controlled Protocol"); +Index: linux/net/dccp/ipv6.c +=================================================================== +--- linux.orig/net/dccp/ipv6.c ++++ linux/net/dccp/ipv6.c +@@ -1162,8 +1162,8 @@ module_exit(dccp_v6_exit); + * values directly, Also cover the case where the protocol is not specified, + * i.e. net-pf-PF_INET6-proto-0-type-SOCK_DCCP + */ +-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6); +-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6); ++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6); */ ++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6); */ + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>"); + MODULE_DESCRIPTION("DCCPv6 - Datagram Congestion Controlled Protocol"); diff --git a/debian/patches/debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch b/debian/patches/debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch new file mode 100644 index 000000000..cb83e5ee8 --- /dev/null +++ b/debian/patches/debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch @@ -0,0 +1,34 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Sat, 20 Nov 2010 02:24:55 +0000 +Subject: [PATCH] decnet: Disable auto-loading as mitigation against local exploits +Forwarded: not-needed + +Recent review has revealed several bugs in obscure protocol +implementations that can be exploited by local users for denial of +service or privilege escalation. We can mitigate the effect of any +remaining vulnerabilities in such protocols by preventing unprivileged +users from loading the modules, so that they are only exploitable on +systems where the administrator has chosen to load the protocol. + +The 'decnet' protocol is unmaintained and of mostly historical +interest, and the user-space support package 'dnet-common' loads the +module explicitly. Therefore disable auto-loading. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/decnet/af_decnet.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +Index: linux/net/decnet/af_decnet.c +=================================================================== +--- linux.orig/net/decnet/af_decnet.c ++++ linux/net/decnet/af_decnet.c +@@ -2346,7 +2346,7 @@ static const struct proto_ops dn_proto_o + MODULE_DESCRIPTION("The Linux DECnet Network Protocol"); + MODULE_AUTHOR("Linux DECnet Project Team"); + MODULE_LICENSE("GPL"); +-MODULE_ALIAS_NETPROTO(PF_DECnet); ++/* MODULE_ALIAS_NETPROTO(PF_DECnet); */ + + static const char banner[] __initconst = KERN_INFO + "NET4: DECnet for Linux: V.2.5.68s (C) 1995-2003 Linux DECnet Project Team\n"; diff --git a/debian/patches/debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch b/debian/patches/debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch new file mode 100644 index 000000000..97d8be0b2 --- /dev/null +++ b/debian/patches/debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch @@ -0,0 +1,29 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Mon, 13 Apr 2009 17:34:00 +0100 +Subject: Remove microcode patches for mgsuvd (not enabled in Debian configs) +Forwarded: not-needed + +Index: linux/arch/powerpc/platforms/8xx/Kconfig +=================================================================== +--- linux.orig/arch/powerpc/platforms/8xx/Kconfig ++++ linux/arch/powerpc/platforms/8xx/Kconfig +@@ -144,16 +144,19 @@ config NO_UCODE_PATCH + + config USB_SOF_UCODE_PATCH + bool "USB SOF patch" ++ depends on BROKEN + help + Help not implemented yet, coming soon. + + config I2C_SPI_UCODE_PATCH + bool "I2C/SPI relocation patch" ++ depends on BROKEN + help + Help not implemented yet, coming soon. + + config I2C_SPI_SMC1_UCODE_PATCH + bool "I2C/SPI/SMC1 relocation patch" ++ depends on BROKEN + help + Help not implemented yet, coming soon. + diff --git a/debian/patches/debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch b/debian/patches/debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch new file mode 100644 index 000000000..47233b0ff --- /dev/null +++ b/debian/patches/debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch @@ -0,0 +1,17 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Mon, 17 Aug 2009 02:45:41 +0100 +Subject: dvb-usb-af9005: mark as broken +Forwarded: not-needed + +Index: linux/drivers/media/usb/dvb-usb/Kconfig +=================================================================== +--- linux.orig/drivers/media/usb/dvb-usb/Kconfig ++++ linux/drivers/media/usb/dvb-usb/Kconfig +@@ -246,6 +246,7 @@ config DVB_USB_OPERA1 + + config DVB_USB_AF9005 + tristate "Afatech AF9005 DVB-T USB1.1 support" ++ depends on BROKEN + depends on DVB_USB + select MEDIA_TUNER_MT2060 if MEDIA_SUBDRV_AUTOSELECT + select MEDIA_TUNER_QT1010 if MEDIA_SUBDRV_AUTOSELECT diff --git a/debian/patches/debian/dfsg/drivers-net-appletalk-cops.patch b/debian/patches/debian/dfsg/drivers-net-appletalk-cops.patch new file mode 100644 index 000000000..d0d266861 --- /dev/null +++ b/debian/patches/debian/dfsg/drivers-net-appletalk-cops.patch @@ -0,0 +1,52 @@ +From: Frederik Schüler <fs@debian.org> +Date: Fri, 05 Jan 2007 15:55:24 +0000 +Subject: Add removal patches for: 3c359, smctr, keyspan, cops +Forwarded: not-needed + +Index: linux/drivers/net/appletalk/Kconfig +=================================================================== +--- linux.orig/drivers/net/appletalk/Kconfig ++++ linux/drivers/net/appletalk/Kconfig +@@ -49,32 +49,6 @@ config LTPC + This driver is experimental, which means that it may not work. + See the file <file:Documentation/networking/ltpc.txt>. + +-config COPS +- tristate "COPS LocalTalk PC support" +- depends on DEV_APPLETALK && (ISA || EISA) +- help +- This allows you to use COPS AppleTalk cards to connect to LocalTalk +- networks. You also need version 1.3.3 or later of the netatalk +- package. This driver is experimental, which means that it may not +- work. This driver will only work if you choose "AppleTalk DDP" +- networking support, above. +- Please read the file <file:Documentation/networking/cops.txt>. +- +-config COPS_DAYNA +- bool "Dayna firmware support" +- depends on COPS +- help +- Support COPS compatible cards with Dayna style firmware (Dayna +- DL2000/ Daynatalk/PC (half length), COPS LT-95, Farallon PhoneNET PC +- III, Farallon PhoneNET PC II). +- +-config COPS_TANGENT +- bool "Tangent firmware support" +- depends on COPS +- help +- Support COPS compatible cards with Tangent style firmware (Tangent +- ATB_II, Novell NL-1000, Daystar Digital LT-200. +- + config IPDDP + tristate "Appletalk-IP driver support" + depends on DEV_APPLETALK && ATALK +Index: linux/drivers/net/appletalk/Makefile +=================================================================== +--- linux.orig/drivers/net/appletalk/Makefile ++++ linux/drivers/net/appletalk/Makefile +@@ -3,5 +3,4 @@ + # + + obj-$(CONFIG_IPDDP) += ipddp.o +-obj-$(CONFIG_COPS) += cops.o + obj-$(CONFIG_LTPC) += ltpc.o diff --git a/debian/patches/debian/dfsg/video-remove-nvidiafb-and-rivafb.patch b/debian/patches/debian/dfsg/video-remove-nvidiafb-and-rivafb.patch new file mode 100644 index 000000000..24e209fd1 --- /dev/null +++ b/debian/patches/debian/dfsg/video-remove-nvidiafb-and-rivafb.patch @@ -0,0 +1,134 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Sat, 2 Jun 2012 19:53:38 +0100 +Subject: video: Remove nvidiafb and rivafb +Bug-Debian: https://bugs.debian.org/383481 +Forwarded: no + +These drivers contain register programming code provided by the +hardware vendor that appears to have been deliberately obfuscated. +This is arguably not the preferred form for modification. + +These drivers are also largely redundant with nouveau. The RIVA 128 +(NV3) is not supported by nouveau but is about 15 years old and +probably discontinued 10 years ago. + +--- +Index: linux/drivers/video/fbdev/Kconfig +=================================================================== +--- linux.orig/drivers/video/fbdev/Kconfig ++++ linux/drivers/video/fbdev/Kconfig +@@ -901,101 +901,6 @@ config FB_ATMEL + help + This enables support for the AT91/AT32 LCD Controller. + +-config FB_NVIDIA +- tristate "nVidia Framebuffer Support" +- depends on FB && PCI +- select FB_BACKLIGHT if FB_NVIDIA_BACKLIGHT +- select FB_MODE_HELPERS +- select FB_CFB_FILLRECT +- select FB_CFB_COPYAREA +- select FB_CFB_IMAGEBLIT +- select BITREVERSE +- select VGASTATE +- help +- This driver supports graphics boards with the nVidia chips, TNT +- and newer. For very old chipsets, such as the RIVA128, then use +- the rivafb. +- Say Y if you have such a graphics board. +- +- To compile this driver as a module, choose M here: the +- module will be called nvidiafb. +- +-config FB_NVIDIA_I2C +- bool "Enable DDC Support" +- depends on FB_NVIDIA +- select FB_DDC +- help +- This enables I2C support for nVidia Chipsets. This is used +- only for getting EDID information from the attached display +- allowing for robust video mode handling and switching. +- +- Because fbdev-2.6 requires that drivers must be able to +- independently validate video mode parameters, you should say Y +- here. +- +-config FB_NVIDIA_DEBUG +- bool "Lots of debug output" +- depends on FB_NVIDIA +- default n +- help +- Say Y here if you want the nVidia driver to output all sorts +- of debugging information to provide to the maintainer when +- something goes wrong. +- +-config FB_NVIDIA_BACKLIGHT +- bool "Support for backlight control" +- depends on FB_NVIDIA +- default y +- help +- Say Y here if you want to control the backlight of your display. +- +-config FB_RIVA +- tristate "nVidia Riva support" +- depends on FB && PCI +- select FB_BACKLIGHT if FB_RIVA_BACKLIGHT +- select FB_MODE_HELPERS +- select FB_CFB_FILLRECT +- select FB_CFB_COPYAREA +- select FB_CFB_IMAGEBLIT +- select BITREVERSE +- select VGASTATE +- help +- This driver supports graphics boards with the nVidia Riva/Geforce +- chips. +- Say Y if you have such a graphics board. +- +- To compile this driver as a module, choose M here: the +- module will be called rivafb. +- +-config FB_RIVA_I2C +- bool "Enable DDC Support" +- depends on FB_RIVA +- select FB_DDC +- help +- This enables I2C support for nVidia Chipsets. This is used +- only for getting EDID information from the attached display +- allowing for robust video mode handling and switching. +- +- Because fbdev-2.6 requires that drivers must be able to +- independently validate video mode parameters, you should say Y +- here. +- +-config FB_RIVA_DEBUG +- bool "Lots of debug output" +- depends on FB_RIVA +- default n +- help +- Say Y here if you want the Riva driver to output all sorts +- of debugging information to provide to the maintainer when +- something goes wrong. +- +-config FB_RIVA_BACKLIGHT +- bool "Support for backlight control" +- depends on FB_RIVA +- default y +- help +- Say Y here if you want to control the backlight of your display. +- + config FB_I740 + tristate "Intel740 support" + depends on FB && PCI +Index: linux/drivers/video/fbdev/Makefile +=================================================================== +--- linux.orig/drivers/video/fbdev/Makefile ++++ linux/drivers/video/fbdev/Makefile +@@ -22,8 +22,6 @@ obj-$(CONFIG_FB_PM3) += pm3fb.o + + obj-$(CONFIG_FB_I740) += i740fb.o + obj-$(CONFIG_FB_MATROX) += matrox/ +-obj-$(CONFIG_FB_RIVA) += riva/ +-obj-$(CONFIG_FB_NVIDIA) += nvidia/ + obj-$(CONFIG_FB_ATY) += aty/ macmodes.o + obj-$(CONFIG_FB_ATY128) += aty/ macmodes.o + obj-$(CONFIG_FB_RADEON) += aty/ diff --git a/debian/patches/debian/dfsg/vs6624-disable.patch b/debian/patches/debian/dfsg/vs6624-disable.patch new file mode 100644 index 000000000..41219ffd5 --- /dev/null +++ b/debian/patches/debian/dfsg/vs6624-disable.patch @@ -0,0 +1,17 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Sun, 27 May 2012 01:56:58 +0100 +Subject: vs6624: mark as broken +Forwarded: not-needed + +Index: linux/drivers/media/i2c/Kconfig +=================================================================== +--- linux.orig/drivers/media/i2c/Kconfig ++++ linux/drivers/media/i2c/Kconfig +@@ -803,6 +803,7 @@ config VIDEO_OV13858 + OV13858 camera. + + config VIDEO_VS6624 ++ depends on BROKEN + tristate "ST VS6624 sensor support" + depends on VIDEO_V4L2 && I2C + depends on MEDIA_CAMERA_SUPPORT diff --git a/debian/patches/debian/export-symbols-needed-by-android-drivers.patch b/debian/patches/debian/export-symbols-needed-by-android-drivers.patch new file mode 100644 index 000000000..c2c8b5f23 --- /dev/null +++ b/debian/patches/debian/export-symbols-needed-by-android-drivers.patch @@ -0,0 +1,156 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Tue, 26 Jun 2018 16:59:01 +0100 +Subject: Export symbols needed by Android drivers +Bug-Debian: https://bugs.debian.org/901492 + +We want to enable use of the Android ashmem and binder drivers to +support Anbox, but they should not be built-in as that would waste +resources and increase security attack surface on systems that don't +need them. + +Export the currently un-exported symbols they depend on. + +--- +--- a/fs/file.c ++++ b/fs/file.c +@@ -409,6 +409,7 @@ struct files_struct *get_files_struct(st + + return files; + } ++EXPORT_SYMBOL_GPL(get_files_struct); + + void put_files_struct(struct files_struct *files) + { +@@ -421,6 +422,7 @@ void put_files_struct(struct files_struc + kmem_cache_free(files_cachep, files); + } + } ++EXPORT_SYMBOL_GPL(put_files_struct); + + void reset_files_struct(struct files_struct *files) + { +@@ -534,6 +536,7 @@ out: + spin_unlock(&files->file_lock); + return error; + } ++EXPORT_SYMBOL_GPL(__alloc_fd); + + static int alloc_fd(unsigned start, unsigned flags) + { +@@ -607,6 +610,7 @@ void __fd_install(struct files_struct *f + rcu_assign_pointer(fdt->fd[fd], file); + rcu_read_unlock_sched(); + } ++EXPORT_SYMBOL_GPL(__fd_install); + + void fd_install(unsigned int fd, struct file *file) + { +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1054,6 +1054,7 @@ void mmput_async(struct mm_struct *mm) + schedule_work(&mm->async_put_work); + } + } ++EXPORT_SYMBOL_GPL(mmput_async); + #endif + + /** +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1368,6 +1368,7 @@ struct sighand_struct *__lock_task_sigha + + return sighand; + } ++EXPORT_SYMBOL_GPL(__lock_task_sighand); + + /* + * send signal info to all the members of a group +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1644,6 +1644,7 @@ void zap_page_range(struct vm_area_struc + mmu_notifier_invalidate_range_end(mm, start, end); + tlb_finish_mmu(&tlb, start, end); + } ++EXPORT_SYMBOL_GPL(zap_page_range); + + /** + * zap_page_range_single - remove user pages in a given range +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -4053,6 +4053,7 @@ int shmem_zero_setup(struct vm_area_stru + + return 0; + } ++EXPORT_SYMBOL_GPL(shmem_zero_setup); + + /** + * shmem_read_mapping_page_gfp - read into page cache, using specified page allocation flags. +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -1300,6 +1300,7 @@ int map_kernel_range_noflush(unsigned lo + { + return vmap_page_range_noflush(addr, addr + size, prot, pages); + } ++EXPORT_SYMBOL_GPL(map_kernel_range_noflush); + + /** + * unmap_kernel_range_noflush - unmap kernel VM area +@@ -1440,6 +1441,7 @@ struct vm_struct *get_vm_area(unsigned l + NUMA_NO_NODE, GFP_KERNEL, + __builtin_return_address(0)); + } ++EXPORT_SYMBOL_GPL(get_vm_area); + + struct vm_struct *get_vm_area_caller(unsigned long size, unsigned long flags, + const void *caller) +--- a/security/security.c ++++ b/security/security.c +@@ -236,24 +236,28 @@ int security_binder_set_context_mgr(cons + { + return call_int_hook(binder_set_context_mgr, 0, mgr); + } ++EXPORT_SYMBOL_GPL(security_binder_set_context_mgr); + + int security_binder_transaction(const struct cred *from, + const struct cred *to) + { + return call_int_hook(binder_transaction, 0, from, to); + } ++EXPORT_SYMBOL_GPL(security_binder_transaction); + + int security_binder_transfer_binder(const struct cred *from, + const struct cred *to) + { + return call_int_hook(binder_transfer_binder, 0, from, to); + } ++EXPORT_SYMBOL_GPL(security_binder_transfer_binder); + + int security_binder_transfer_file(const struct cred *from, + const struct cred *to, struct file *file) + { + return call_int_hook(binder_transfer_file, 0, from, to, file); + } ++EXPORT_SYMBOL_GPL(security_binder_transfer_file); + + int security_ptrace_access_check(struct task_struct *child, unsigned int mode) + { +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -3979,6 +3979,7 @@ int can_nice(const struct task_struct *p + return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) || + capable(CAP_SYS_NICE)); + } ++EXPORT_SYMBOL_GPL(can_nice); + + #ifdef __ARCH_WANT_SYS_NICE + +--- a/kernel/sched/wait.c ++++ b/kernel/sched/wait.c +@@ -215,6 +215,7 @@ void __wake_up_pollfree(struct wait_queu + /* POLLFREE must have cleared the queue. */ + WARN_ON_ONCE(waitqueue_active(wq_head)); + } ++EXPORT_SYMBOL_GPL(__wake_up_pollfree); + + /* + * Note: we use "set_current_state()" _after_ the wait-queue add, diff --git a/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch b/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch new file mode 100644 index 000000000..5149007a4 --- /dev/null +++ b/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch @@ -0,0 +1,31 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: fanotify: Taint on use of FANOTIFY_ACCESS_PERMISSIONS +Date: Wed, 13 Jul 2016 01:37:22 +0100 +Forwarded: not-needed + +Various free and proprietary AV products use this feature and users +apparently want it. But punting access checks to userland seems like +an easy way to deadlock the system, and there will be nothing we can +do about that. So warn and taint the kernel if this feature is +actually used. + +--- +Index: linux/fs/notify/fanotify/fanotify_user.c +=================================================================== +--- linux.orig/fs/notify/fanotify/fanotify_user.c ++++ linux/fs/notify/fanotify/fanotify_user.c +@@ -842,6 +842,14 @@ static int do_fanotify_mark(int fanotify + if (mask & ~valid_mask) + return -EINVAL; + ++#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS ++ if (mask & FAN_ALL_PERM_EVENTS) { ++ pr_warn_once("%s (%d): Using fanotify permission checks may lead to deadlock; tainting kernel\n", ++ current->comm, current->pid); ++ add_taint(TAINT_USER, LOCKDEP_STILL_OK); ++ } ++#endif ++ + f = fdget(fanotify_fd); + if (unlikely(!f.file)) + return -EBADF; diff --git a/debian/patches/debian/firmware_class-refer-to-debian-wiki-firmware-page.patch b/debian/patches/debian/firmware_class-refer-to-debian-wiki-firmware-page.patch new file mode 100644 index 000000000..da4942ee6 --- /dev/null +++ b/debian/patches/debian/firmware_class-refer-to-debian-wiki-firmware-page.patch @@ -0,0 +1,58 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Mon, 12 Mar 2018 01:14:03 +0000 +Subject: firmware_class: Refer to Debian wiki page when logging missing firmware +Bug-Debian: https://bugs.debian.org/888405 +Forwarded: not-needed + +If firmware loading fails due to a missing file, log a second error +message referring to our wiki page about firmware. This will explain +why some firmware is in non-free, or can't be packaged at all. Only +do this once per boot. + +Do something similar in the radeon and amdgpu drivers, where we have +an early check to avoid failing at a point where we cannot display +anything. + +--- +Index: linux/drivers/base/firmware_loader/main.c +=================================================================== +--- linux.orig/drivers/base/firmware_loader/main.c ++++ linux/drivers/base/firmware_loader/main.c +@@ -340,9 +340,12 @@ fw_get_filesystem_firmware(struct device + } + __putname(path); + +- if (rc) ++ if (rc) { + dev_err(device, "firmware: failed to load %s (%d)\n", + fw_priv->fw_name, rc); ++ if (rc == -ENOENT) ++ pr_err_once("See https://wiki.debian.org/Firmware for information about missing firmware\n"); ++ } + + return rc; + } +Index: linux/drivers/gpu/drm/radeon/radeon_drv.c +=================================================================== +--- linux.orig/drivers/gpu/drm/radeon/radeon_drv.c ++++ linux/drivers/gpu/drm/radeon/radeon_drv.c +@@ -403,6 +403,7 @@ static int radeon_pci_probe(struct pci_d + if ((ent->driver_data & RADEON_FAMILY_MASK) >= CHIP_R600 && + !radeon_firmware_installed()) { + DRM_ERROR("radeon kernel modesetting for R600 or later requires firmware installed\n"); ++ pr_err_once("See https://wiki.debian.org/Firmware for information about missing firmware\n"); + return -ENODEV; + } + +Index: linux/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +=================================================================== +--- linux.orig/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ linux/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -859,6 +859,7 @@ static int amdgpu_pci_probe(struct pci_d + + if (!amdgpu_firmware_installed()) { + DRM_ERROR("amdgpu requires firmware installed\n"); ++ pr_err_once("See https://wiki.debian.org/Firmware for information about missing firmware\n"); + return -ENODEV; + } + diff --git a/debian/patches/debian/fjes-disable-autoload.patch b/debian/patches/debian/fjes-disable-autoload.patch new file mode 100644 index 000000000..e1081d872 --- /dev/null +++ b/debian/patches/debian/fjes-disable-autoload.patch @@ -0,0 +1,26 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Sat, 18 Mar 2017 20:47:58 +0000 +Subject: fjes: Disable auto-loading +Bug-Debian: https://bugs.debian.org/853976 +Forwarded: no + +fjes matches a generic ACPI device ID, and relies on its probe +function to distinguish whether that really corresponds to a supported +device. Very few system will need the driver and it wastes memory on +all the other systems where the same device ID appears, so disable +auto-loading. + +--- +Index: linux/drivers/net/fjes/fjes_main.c +=================================================================== +--- linux.orig/drivers/net/fjes/fjes_main.c ++++ linux/drivers/net/fjes/fjes_main.c +@@ -83,7 +83,7 @@ static const struct acpi_device_id fjes_ + {ACPI_MOTHERBOARD_RESOURCE_HID, 0}, + {"", 0}, + }; +-MODULE_DEVICE_TABLE(acpi, fjes_acpi_ids); ++/* MODULE_DEVICE_TABLE(acpi, fjes_acpi_ids); */ + + static struct acpi_driver fjes_acpi_driver = { + .name = DRV_NAME, diff --git a/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch b/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch new file mode 100644 index 000000000..50b32bc2d --- /dev/null +++ b/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch @@ -0,0 +1,24 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: fs: Enable link security restrictions by default +Date: Fri, 02 Nov 2012 05:32:06 +0000 +Bug-Debian: https://bugs.debian.org/609455 +Forwarded: not-needed + +This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415 +('VFS: don't do protected {sym,hard}links by default'). + +Index: linux/fs/namei.c +=================================================================== +--- linux.orig/fs/namei.c ++++ linux/fs/namei.c +@@ -885,8 +885,8 @@ static inline void put_link(struct namei + path_put(&last->link); + } + +-int sysctl_protected_symlinks __read_mostly = 0; +-int sysctl_protected_hardlinks __read_mostly = 0; ++int sysctl_protected_symlinks __read_mostly = 1; ++int sysctl_protected_hardlinks __read_mostly = 1; + int sysctl_protected_fifos __read_mostly; + int sysctl_protected_regular __read_mostly; + diff --git a/debian/patches/debian/gitignore.patch b/debian/patches/debian/gitignore.patch new file mode 100644 index 000000000..493e558b7 --- /dev/null +++ b/debian/patches/debian/gitignore.patch @@ -0,0 +1,49 @@ +From: Ian Campbell <ijc@hellion.org.uk> +Date: Thu, 17 Jan 2013 08:55:21 +0000 +Subject: Tweak gitignore for Debian pkg-kernel using git svn. +Forwarded: not-needed + +[bwh: Tweak further for pure git] + +Index: linux/.gitignore +=================================================================== +--- linux.orig/.gitignore ++++ linux/.gitignore +@@ -64,11 +64,6 @@ modules.builtin + /*.spec + + # +-# Debian directory (make deb-pkg) +-# +-/debian/ +- +-# + # Snap directory (make snap-pkg) + # + /snap/ +@@ -79,14 +74,6 @@ modules.builtin + /tar-install/ + + # +-# git files that we don't want to ignore even if they are dot-files +-# +-!.gitignore +-!.mailmap +-!.cocciconfig +-!.clang-format +- +-# + # Generated include files + # + include/config +@@ -132,3 +119,10 @@ all.config + + # Kdevelop4 + *.kdev4 ++ ++# ++# Debian packaging: ignore everything at the top level, since it isn't ++# included in our repository ++# ++/* ++!/debian/ diff --git a/debian/patches/debian/i386-686-pae-pci-set-pci-nobios-by-default.patch b/debian/patches/debian/i386-686-pae-pci-set-pci-nobios-by-default.patch new file mode 100644 index 000000000..d9dcef669 --- /dev/null +++ b/debian/patches/debian/i386-686-pae-pci-set-pci-nobios-by-default.patch @@ -0,0 +1,29 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Tue, 16 Feb 2016 02:45:42 +0000 +Subject: [i386/686-pae] PCI: Set pci=nobios by default +Forwarded: not-needed + +CONFIG_PCI_GOBIOS results in physical addresses 640KB-1MB being mapped +W+X, which is undesirable for security reasons and will result in a +warning at boot now that we enable CONFIG_DEBUG_WX. + +This can be overridden using the kernel parameter "pci=nobios", but we +want to disable W+X by default. Disable PCI BIOS probing by default; +it can still be enabled using "pci=bios". + +--- +Index: linux/arch/x86/pci/common.c +=================================================================== +--- linux.orig/arch/x86/pci/common.c ++++ linux/arch/x86/pci/common.c +@@ -19,8 +19,8 @@ + #include <asm/pci_x86.h> + #include <asm/setup.h> + +-unsigned int pci_probe = PCI_PROBE_BIOS | PCI_PROBE_CONF1 | PCI_PROBE_CONF2 | +- PCI_PROBE_MMCONF; ++unsigned int pci_probe = PCI_PROBE_CONF1 | PCI_PROBE_CONF2 | PCI_PROBE_MMCONF | ++ (IS_ENABLED(CONFIG_X86_64) || IS_ENABLED(CONFIG_X86_PAE) ? 0 : PCI_PROBE_BIOS); + + static int pci_bf_sort; + int pci_routeirq; diff --git a/debian/patches/debian/ia64-hardcode-arch-script-output.patch b/debian/patches/debian/ia64-hardcode-arch-script-output.patch new file mode 100644 index 000000000..f4b320f15 --- /dev/null +++ b/debian/patches/debian/ia64-hardcode-arch-script-output.patch @@ -0,0 +1,72 @@ +From: dann frazier <dannf@debian.org> +Subject: Hardcode arch script output +Date: Mon, 26 Mar 2007 16:30:51 -0600 +Bug-Debian: https://bugs.debian.org/392592 +Forwarded: not-needed + +Here's a patch that simply uses hardcoded definitions instead of +doing the dynamic tests that require architecture-specific scripts. + +I don't particularly like this approach because it restricts +portability and diverts from upstream. But, it is simpler, and this +really needs to be fixed somehow before etch (along with a rebuild of +linux-modules-extra-2.6), so I'm willing to live with it if my other +patch is deemed unacceptable. + +My primary concern is that, in the future, the output of these scripts +will change and we (or our successors) will either not notice or +forget to update the hardcoded values. + +Including the scripts in linux-kbuild will avoid this manual step +altogether, and allow for the possibility of other archs to provide +their own scripts in the future. + +Index: linux/arch/ia64/Makefile +=================================================================== +--- linux.orig/arch/ia64/Makefile ++++ linux/arch/ia64/Makefile +@@ -30,16 +30,7 @@ cflags-y := -pipe $(EXTRA) -ffixed-r13 - + -falign-functions=32 -frename-registers -fno-optimize-sibling-calls + KBUILD_CFLAGS_KERNEL := -mconstant-gp + +-GAS_STATUS = $(shell $(srctree)/arch/ia64/scripts/check-gas "$(CC)" "$(OBJDUMP)") +-KBUILD_CPPFLAGS += $(shell $(srctree)/arch/ia64/scripts/toolchain-flags "$(CC)" "$(OBJDUMP)" "$(READELF)") +- +-ifeq ($(GAS_STATUS),buggy) +-$(error Sorry, you need a newer version of the assember, one that is built from \ +- a source-tree that post-dates 18-Dec-2002. You can find a pre-compiled \ +- static binary of such an assembler at: \ +- \ +- ftp://ftp.hpl.hp.com/pub/linux-ia64/gas-030124.tar.gz) +-endif ++KBUILD_CPPFLAGS += -DHAVE_WORKING_TEXT_ALIGN -DHAVE_MODEL_SMALL_ATTRIBUTE -DHAVE_SERIALIZE_DIRECTIVE + + KBUILD_CFLAGS += $(cflags-y) + head-y := arch/ia64/kernel/head.o +@@ -65,7 +56,7 @@ boot := arch/ia64/hp/sim/boot + + PHONY += boot compressed check + +-all: compressed unwcheck ++all: compressed + + compressed: vmlinux.gz + +@@ -74,9 +65,6 @@ vmlinuz: vmlinux.gz + vmlinux.gz: vmlinux + $(Q)$(MAKE) $(build)=$(boot) $@ + +-unwcheck: vmlinux +- -$(Q)READELF=$(READELF) $(PYTHON) $(srctree)/arch/ia64/scripts/unwcheck.py $< +- + archclean: + $(Q)$(MAKE) $(clean)=$(boot) + +@@ -92,7 +80,6 @@ define archhelp + echo '* compressed - Build compressed kernel image' + echo ' install - Install compressed kernel image' + echo ' boot - Build vmlinux and bootloader for Ski simulator' +- echo '* unwcheck - Check vmlinux for invalid unwind info' + endef + + archprepare: make_nr_irqs_h diff --git a/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch b/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch new file mode 100644 index 000000000..37d84d005 --- /dev/null +++ b/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch @@ -0,0 +1,28 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: iwlwifi: Do not request unreleased firmware for IWL6000 +Bug-Debian: https://bugs.debian.org/689416 +Forwarded: not-needed + +The iwlwifi driver currently supports firmware API versions 4-6 for +these devices. It will request the file for the latest supported +version and then fall back to earlier versions. However, the latest +version that has actually been released is 4, so we expect the +requests for versions 6 and then 5 to fail. + +The installer appears to report any failed request, and it is probably +not easy to detect that this particular failure is harmless. So stop +requesting the unreleased firmware. + +Index: linux/drivers/net/wireless/intel/iwlwifi/cfg/6000.c +=================================================================== +--- linux.orig/drivers/net/wireless/intel/iwlwifi/cfg/6000.c ++++ linux/drivers/net/wireless/intel/iwlwifi/cfg/6000.c +@@ -32,7 +32,7 @@ + #include "dvm/commands.h" /* needed for BT for now */ + + /* Highest firmware API version supported */ +-#define IWL6000_UCODE_API_MAX 6 ++#define IWL6000_UCODE_API_MAX 4 /* v5-6 are supported but not released */ + #define IWL6050_UCODE_API_MAX 5 + #define IWL6000G2_UCODE_API_MAX 6 + #define IWL6035_UCODE_API_MAX 6 diff --git a/debian/patches/debian/kernelvariables.patch b/debian/patches/debian/kernelvariables.patch new file mode 100644 index 000000000..d33dad595 --- /dev/null +++ b/debian/patches/debian/kernelvariables.patch @@ -0,0 +1,81 @@ +From: Bastian Blank <waldi@debian.org> +Subject: kbuild: Make the toolchain variables easily overwritable +Date: Sun, 22 Feb 2009 15:39:35 +0100 +Forwarded: not-needed + +Allow make variables to be overridden for each flavour by a file in +the build tree, .kernelvariables. + +We currently use this for ARCH, KERNELRELEASE, CC, and in some cases +also CROSS_COMPILE, CFLAGS_KERNEL and CFLAGS_MODULE. + +This file can only be read after we establish the build tree, and all +use of $(ARCH) needs to be moved after this. + +Index: linux/Makefile +=================================================================== +--- linux.orig/Makefile ++++ linux/Makefile +@@ -321,31 +321,6 @@ include scripts/subarch.include + # Note: Some architectures assign CROSS_COMPILE in their arch/*/Makefile + ARCH ?= $(SUBARCH) + +-# Architecture as present in compile.h +-UTS_MACHINE := $(ARCH) +-SRCARCH := $(ARCH) +- +-# Additional ARCH settings for x86 +-ifeq ($(ARCH),i386) +- SRCARCH := x86 +-endif +-ifeq ($(ARCH),x86_64) +- SRCARCH := x86 +-endif +- +-# Additional ARCH settings for sparc +-ifeq ($(ARCH),sparc32) +- SRCARCH := sparc +-endif +-ifeq ($(ARCH),sparc64) +- SRCARCH := sparc +-endif +- +-# Additional ARCH settings for sh +-ifeq ($(ARCH),sh64) +- SRCARCH := sh +-endif +- + KCONFIG_CONFIG ?= .config + export KCONFIG_CONFIG + +@@ -399,6 +374,30 @@ CFLAGS_KERNEL = + AFLAGS_KERNEL = + LDFLAGS_vmlinux = + ++-include $(obj)/.kernelvariables ++ ++# Architecture as present in compile.h ++UTS_MACHINE := $(ARCH) ++SRCARCH := $(ARCH) ++ ++# Additional ARCH settings for x86 ++ifeq ($(ARCH),i386) ++ SRCARCH := x86 ++endif ++ifeq ($(ARCH),x86_64) ++ SRCARCH := x86 ++endif ++ ++# Additional ARCH settings for sparc ++ifeq ($(ARCH),sparc64) ++ SRCARCH := sparc ++endif ++ ++# Additional ARCH settings for sh ++ifeq ($(ARCH),sh64) ++ SRCARCH := sh ++endif ++ + # Use USERINCLUDE when you must reference the UAPI directories only. + USERINCLUDE := \ + -I$(srctree)/arch/$(SRCARCH)/include/uapi \ diff --git a/debian/patches/debian/mips-boston-disable-its.patch b/debian/patches/debian/mips-boston-disable-its.patch new file mode 100644 index 000000000..ad93dfa8a --- /dev/null +++ b/debian/patches/debian/mips-boston-disable-its.patch @@ -0,0 +1,22 @@ +From: YunQiang Su <syq@debian.org> +Date: Mon, 14 May 2018 16:16:18 +0800 +Subject: Disable uImage generation for mips generic +Forwarded: not-needed + +MIPS generic trys to generate uImage when build, which then ask for +u-boot-tools. + +Index: linux/arch/mips/generic/Platform +=================================================================== +--- linux.orig/arch/mips/generic/Platform ++++ linux/arch/mips/generic/Platform +@@ -11,9 +11,7 @@ + platform-$(CONFIG_MIPS_GENERIC) += generic/ + cflags-$(CONFIG_MIPS_GENERIC) += -I$(srctree)/arch/mips/include/asm/mach-generic + load-$(CONFIG_MIPS_GENERIC) += 0xffffffff80100000 +-all-$(CONFIG_MIPS_GENERIC) := vmlinux.gz.itb + +-its-y := vmlinux.its.S + its-$(CONFIG_FIT_IMAGE_FDT_BOSTON) += board-boston.its.S + its-$(CONFIG_FIT_IMAGE_FDT_NI169445) += board-ni169445.its.S + its-$(CONFIG_FIT_IMAGE_FDT_OCELOT_PCB123) += board-ocelot_pcb123.its.S diff --git a/debian/patches/debian/mips-disable-werror.patch b/debian/patches/debian/mips-disable-werror.patch new file mode 100644 index 000000000..37da74ce3 --- /dev/null +++ b/debian/patches/debian/mips-disable-werror.patch @@ -0,0 +1,25 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Mon, 13 Sep 2010 02:16:18 +0100 +Subject: [PATCH] Partially revert "MIPS: Add -Werror to arch/mips/Kbuild" +Forwarded: not-needed + +This reverts commits 66f9ba101f54bda63ab1db97f9e9e94763d0651b and +5373633cc9253ba82547473e899cab141c54133e. + +We really don't want to add -Werror anywhere. +--- +Index: linux/arch/mips/Kbuild +=================================================================== +--- linux.orig/arch/mips/Kbuild ++++ linux/arch/mips/Kbuild +@@ -1,10 +1,3 @@ +-# Fail on warnings - also for files referenced in subdirs +-# -Werror can be disabled for specific files using: +-# CFLAGS_<file.o> := -Wno-error +-ifeq ($(W),) +-subdir-ccflags-y := -Werror +-endif +- + # platform specific definitions + include arch/mips/Kbuild.platforms + obj-y := $(platform-y) diff --git a/debian/patches/debian/ntfs-mark-it-as-broken.patch b/debian/patches/debian/ntfs-mark-it-as-broken.patch new file mode 100644 index 000000000..19892c9f0 --- /dev/null +++ b/debian/patches/debian/ntfs-mark-it-as-broken.patch @@ -0,0 +1,21 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Thu, 25 Apr 2019 15:31:33 +0100 +Subject: ntfs: mark it as broken + +NTFS has unfixed issues CVE-2018-12929, CVE-2018-12930, and +CVE-2018-12931. ntfs-3g is a better supported alternative. + +Make sure it can't be enabled even in custom kernels. + +--- +Index: linux/fs/ntfs/Kconfig +=================================================================== +--- linux.orig/fs/ntfs/Kconfig ++++ linux/fs/ntfs/Kconfig +@@ -1,5 +1,6 @@ + config NTFS_FS + tristate "NTFS file system support" ++ depends on BROKEN + select NLS + help + NTFS is the file system of Microsoft Windows NT, 2000, XP and 2003. diff --git a/debian/patches/debian/overlayfs-permit-mounts-in-userns.patch b/debian/patches/debian/overlayfs-permit-mounts-in-userns.patch new file mode 100644 index 000000000..b951744e5 --- /dev/null +++ b/debian/patches/debian/overlayfs-permit-mounts-in-userns.patch @@ -0,0 +1,59 @@ +From: Nicolas Schier <nicolas@fjasle.eu> +Subject: ovl: permit overlayfs mounts in user namespaces (taints kernel) +Date: Mon, 19 Nov 2018 20:36:14 +0100 + +Permit overlayfs mounts within user namespaces to allow utilisation of e.g. +unprivileged LXC overlay snapshots. + +Except by the Ubuntu community [1], overlayfs mounts in user namespaces are +expected to be a security risk [2] and thus are not enabled on upstream +Linux kernels. For the non-Ubuntu users that have to stick to unprivileged +overlay-based LXCs, this meant to patch and compile the kernel manually. +Instead, adding the kernel tainting 'permit_mounts_in_userns' module +parameter allows a kind of a user-friendly way to enable the feature. + +Testable with: + + sudo modprobe overlay permit_mounts_in_userns=1 + sudo sysctl -w kernel.unprivileged_userns_clone=1 + mkdir -p lower upper work mnt + unshare --map-root-user --mount \ + mount -t overlay none mnt \ + -o lowerdir=lower,upperdir=upper,workdir=work + +[1]: Ubuntu allows unprivileged mounting of overlay filesystem +https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html + +[2]: User namespaces + overlayfs = root privileges +https://lwn.net/Articles/671641/ + +Signed-off-by: Nicolas Schier <nicolas@fjasle.eu> + +Index: linux/fs/overlayfs/super.c +=================================================================== +--- linux.orig/fs/overlayfs/super.c ++++ linux/fs/overlayfs/super.c +@@ -56,6 +56,11 @@ module_param_named(xino_auto, ovl_xino_a + MODULE_PARM_DESC(ovl_xino_auto_def, + "Auto enable xino feature"); + ++static bool ovl_permit_mounts_in_userns; ++module_param_named_unsafe(permit_mounts_in_userns, ovl_permit_mounts_in_userns, ++ bool, 0444); ++MODULE_PARM_DESC(permit_mounts_in_userns, "Permit mounts in user namespaces"); ++ + static void ovl_entry_stack_free(struct ovl_entry *oe) + { + unsigned int i; +@@ -1715,6 +1720,11 @@ static int __init ovl_init(void) + if (ovl_inode_cachep == NULL) + return -ENOMEM; + ++ if (unlikely(ovl_permit_mounts_in_userns)) { ++ pr_warn("overlayfs: Allowing overlay mounts in user namespaces bears security risks\n"); ++ ovl_fs_type.fs_flags |= FS_USERNS_MOUNT; ++ } ++ + err = register_filesystem(&ovl_fs_type); + if (err) + kmem_cache_destroy(ovl_inode_cachep); diff --git a/debian/patches/debian/powerpcspe-omit-uimage.patch b/debian/patches/debian/powerpcspe-omit-uimage.patch new file mode 100644 index 000000000..48606a174 --- /dev/null +++ b/debian/patches/debian/powerpcspe-omit-uimage.patch @@ -0,0 +1,45 @@ +Description: Prevent building uImage with missing mkimage + On some powerpc platforms, CONFIG_DEFAULT_UIMAGE is selected automatically, + which leads to uImage being built automatically with mkimage. This tool is not + available in linux's build-dependencies, and the file is not strictly + necessary, so we are omitting this step in the build process, Debian-specific. +Author: Roland Stigge <stigge@antcom.de> +Bug-Debian: https://bugs.debian.org/708094 +Forwarded: not-needed + +Index: linux/arch/powerpc/boot/Makefile +=================================================================== +--- linux.orig/arch/powerpc/boot/Makefile ++++ linux/arch/powerpc/boot/Makefile +@@ -268,7 +268,6 @@ image-$(CONFIG_PPC_CHRP) += zImage.chrp + image-$(CONFIG_PPC_EFIKA) += zImage.chrp + image-$(CONFIG_PPC_PMAC) += zImage.pmac + image-$(CONFIG_PPC_HOLLY) += dtbImage.holly +-image-$(CONFIG_DEFAULT_UIMAGE) += uImage + image-$(CONFIG_EPAPR_BOOT) += zImage.epapr + + # +@@ -327,23 +326,6 @@ image-$(CONFIG_MPC834x_MDS) += cuImage. + image-$(CONFIG_MPC836x_MDS) += cuImage.mpc836x_mds + image-$(CONFIG_ASP834x) += dtbImage.asp834x-redboot + +-# Board ports in arch/powerpc/platform/85xx/Kconfig +-image-$(CONFIG_MPC8540_ADS) += cuImage.mpc8540ads +-image-$(CONFIG_MPC8560_ADS) += cuImage.mpc8560ads +-image-$(CONFIG_MPC85xx_CDS) += cuImage.mpc8541cds \ +- cuImage.mpc8548cds_32b \ +- cuImage.mpc8555cds +-image-$(CONFIG_MPC85xx_MDS) += cuImage.mpc8568mds +-image-$(CONFIG_MPC85xx_DS) += cuImage.mpc8544ds \ +- cuImage.mpc8572ds +-image-$(CONFIG_TQM8540) += cuImage.tqm8540 +-image-$(CONFIG_TQM8541) += cuImage.tqm8541 +-image-$(CONFIG_TQM8548) += cuImage.tqm8548 +-image-$(CONFIG_TQM8555) += cuImage.tqm8555 +-image-$(CONFIG_TQM8560) += cuImage.tqm8560 +-image-$(CONFIG_SBC8548) += cuImage.sbc8548 +-image-$(CONFIG_KSI8560) += cuImage.ksi8560 +- + # Board ports in arch/powerpc/platform/86xx/Kconfig + image-$(CONFIG_MVME7100) += dtbImage.mvme7100 + diff --git a/debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch b/debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch new file mode 100644 index 000000000..451c2923e --- /dev/null +++ b/debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch @@ -0,0 +1,31 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Fri, 19 Nov 2010 02:12:48 +0000 +Subject: [PATCH 1/3] rds: Disable auto-loading as mitigation against local exploits +Forwarded: not-needed + +Recent review has revealed several bugs in obscure protocol +implementations that can be exploited by local users for denial of +service or privilege escalation. We can mitigate the effect of any +remaining vulnerabilities in such protocols by preventing unprivileged +users from loading the modules, so that they are only exploitable on +systems where the administrator has chosen to load the protocol. + +The 'rds' protocol is one such protocol that has been found to be +vulnerable, and which was not present in the 'lenny' kernel. +Therefore disable auto-loading. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/rds/af_rds.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +Index: linux/net/rds/af_rds.c +=================================================================== +--- linux.orig/net/rds/af_rds.c ++++ linux/net/rds/af_rds.c +@@ -836,4 +836,4 @@ MODULE_DESCRIPTION("RDS: Reliable Datagr + " v" DRV_VERSION " (" DRV_RELDATE ")"); + MODULE_VERSION(DRV_VERSION); + MODULE_LICENSE("Dual BSD/GPL"); +-MODULE_ALIAS_NETPROTO(PF_RDS); ++/* MODULE_ALIAS_NETPROTO(PF_RDS); */ diff --git a/debian/patches/debian/revert-objtool-fix-config_stack_validation-y-warning.patch b/debian/patches/debian/revert-objtool-fix-config_stack_validation-y-warning.patch new file mode 100644 index 000000000..6abe64a8f --- /dev/null +++ b/debian/patches/debian/revert-objtool-fix-config_stack_validation-y-warning.patch @@ -0,0 +1,50 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Sun, 14 Jan 2018 19:27:18 +0000 +Subject: Revert "objtool: Fix CONFIG_STACK_VALIDATION=y warning for + out-of-tree modules" + +This reverts commit 9f0c18aec620bc9d82268b3cb937568dd07b43ff. This +check doesn't make sense for OOT modules as they should always use +a pre-built objtool. +--- + Makefile | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/Makefile ++++ b/Makefile +@@ -971,17 +971,6 @@ export mod_sign_cmd + + HOST_LIBELF_LIBS = $(shell pkg-config libelf --libs 2>/dev/null || echo -lelf) + +-ifdef CONFIG_STACK_VALIDATION +- has_libelf := $(call try-run,\ +- echo "int main() {}" | $(HOSTCC) $(KBUILD_HOSTLDFLAGS) -xc -o /dev/null $(HOST_LIBELF_LIBS) -,1,0) +- ifeq ($(has_libelf),1) +- objtool_target := tools/objtool FORCE +- else +- SKIP_STACK_VALIDATION := 1 +- export SKIP_STACK_VALIDATION +- endif +-endif +- + PHONY += prepare0 + + ifeq ($(KBUILD_EXTMOD),) +@@ -1132,6 +1121,17 @@ uapi-asm-generic: + $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.asm-generic \ + src=uapi/asm obj=arch/$(SRCARCH)/include/generated/uapi/asm + ++ifdef CONFIG_STACK_VALIDATION ++ has_libelf := $(call try-run,\ ++ echo "int main() {}" | $(HOSTCC) $(KBUILD_HOSTLDFLAGS) -xc -o /dev/null $(HOST_LIBELF_LIBS) -,1,0) ++ ifeq ($(has_libelf),1) ++ objtool_target := tools/objtool FORCE ++ else ++ SKIP_STACK_VALIDATION := 1 ++ export SKIP_STACK_VALIDATION ++ endif ++endif ++ + PHONY += prepare-objtool + prepare-objtool: $(objtool_target) + ifeq ($(SKIP_STACK_VALIDATION),1) diff --git a/debian/patches/debian/sched-autogroup-disabled.patch b/debian/patches/debian/sched-autogroup-disabled.patch new file mode 100644 index 000000000..20e57105c --- /dev/null +++ b/debian/patches/debian/sched-autogroup-disabled.patch @@ -0,0 +1,21 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: sched: Do not enable autogrouping by default +Date: Wed, 16 Mar 2011 03:17:06 +0000 +Forwarded: not-needed + +We want to provide the option of autogrouping but without enabling +it by default yet. + +Index: linux/kernel/sched/autogroup.c +=================================================================== +--- linux.orig/kernel/sched/autogroup.c ++++ linux/kernel/sched/autogroup.c +@@ -5,7 +5,7 @@ + #include <linux/nospec.h> + #include "sched.h" + +-unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1; ++unsigned int __read_mostly sysctl_sched_autogroup_enabled = 0; + static struct autogroup autogroup_default; + static atomic_t autogroup_seq_nr; + diff --git a/debian/patches/debian/snd-pcsp-disable-autoload.patch b/debian/patches/debian/snd-pcsp-disable-autoload.patch new file mode 100644 index 000000000..2681d4275 --- /dev/null +++ b/debian/patches/debian/snd-pcsp-disable-autoload.patch @@ -0,0 +1,32 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Wed, 05 Feb 2014 23:01:30 +0000 +Subject: snd-pcsp: Disable autoload +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/697709 + +There are two drivers claiming the platform:pcspkr device: +- pcspkr creates an input(!) device that can only beep +- snd-pcsp creates an equivalent input device plus a PCM device that can + play barely recognisable renditions of sampled sound + +snd-pcsp is blacklisted by the alsa-base package, but not everyone +installs that. On PCs where no sound is wanted at all, both drivers +will still be loaded and one or other will complain that it couldn't +claim the relevant I/O range. + +In case anyone finds snd-pcsp useful, we continue to build it. But +remove the alias, to ensure it's not loaded where it's not wanted. + +Index: linux/sound/drivers/pcsp/pcsp.c +=================================================================== +--- linux.orig/sound/drivers/pcsp/pcsp.c ++++ linux/sound/drivers/pcsp/pcsp.c +@@ -22,7 +22,7 @@ MODULE_AUTHOR("Stas Sergeev <stsp@users. + MODULE_DESCRIPTION("PC-Speaker driver"); + MODULE_LICENSE("GPL"); + MODULE_SUPPORTED_DEVICE("{{PC-Speaker, pcsp}}"); +-MODULE_ALIAS("platform:pcspkr"); ++/*MODULE_ALIAS("platform:pcspkr");*/ + + static int index = SNDRV_DEFAULT_IDX1; /* Index 0-MAX */ + static char *id = SNDRV_DEFAULT_STR1; /* ID for this card */ diff --git a/debian/patches/debian/tools-perf-install.patch b/debian/patches/debian/tools-perf-install.patch new file mode 100644 index 000000000..8cfd02afd --- /dev/null +++ b/debian/patches/debian/tools-perf-install.patch @@ -0,0 +1,58 @@ +From: Bastian Blank <waldi@debian.org> +Date: Fri, 07 Oct 2011 21:37:52 +0100 +Subject: Install perf scripts non-executable +Forwarded: no + +[bwh: Forward-ported to 4.13] + +Index: linux/tools/perf/Makefile.perf +=================================================================== +--- linux.orig/tools/perf/Makefile.perf ++++ linux/tools/perf/Makefile.perf +@@ -796,8 +796,8 @@ endif + ifndef NO_LIBPERL + $(call QUIET_INSTALL, perl-scripts) \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/Perf-Trace-Util/lib/Perf/Trace'; \ +- $(INSTALL) scripts/perl/Perf-Trace-Util/lib/Perf/Trace/* -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/Perf-Trace-Util/lib/Perf/Trace'; \ +- $(INSTALL) scripts/perl/*.pl -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl'; \ ++ $(INSTALL) -m 644 scripts/perl/Perf-Trace-Util/lib/Perf/Trace/* -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/Perf-Trace-Util/lib/Perf/Trace'; \ ++ $(INSTALL) -m 644 scripts/perl/*.pl -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl'; \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/bin'; \ + $(INSTALL) scripts/perl/bin/* -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/perl/bin' + endif +@@ -805,27 +805,27 @@ ifndef NO_LIBPYTHON + $(call QUIET_INSTALL, python-scripts) \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/python/Perf-Trace-Util/lib/Perf/Trace'; \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/python/bin'; \ +- $(INSTALL) scripts/python/Perf-Trace-Util/lib/Perf/Trace/* -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/python/Perf-Trace-Util/lib/Perf/Trace'; \ +- $(INSTALL) scripts/python/*.py -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/python'; \ ++ $(INSTALL) -m 644 scripts/python/Perf-Trace-Util/lib/Perf/Trace/* -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/python/Perf-Trace-Util/lib/Perf/Trace'; \ ++ $(INSTALL) -m 644 scripts/python/*.py -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/python'; \ + $(INSTALL) scripts/python/bin/* -t '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/scripts/python/bin' + endif + $(call QUIET_INSTALL, perf_completion-script) \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d'; \ +- $(INSTALL) perf-completion.sh '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d/perf_$(VERSION)' ++ $(INSTALL) -m 644 perf-completion.sh '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d/perf_$(VERSION)' + $(call QUIET_INSTALL, perf-tip) \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(tip_instdir_SQ)'; \ +- $(INSTALL) Documentation/tips.txt -t '$(DESTDIR_SQ)$(tip_instdir_SQ)' ++ $(INSTALL) -m 644 Documentation/tips.txt -t '$(DESTDIR_SQ)$(tip_instdir_SQ)' + + install-tests: all install-gtk + $(call QUIET_INSTALL, tests) \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests'; \ +- $(INSTALL) tests/attr.py '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests'; \ ++ $(INSTALL) -m 644 tests/attr.py '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests'; \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/attr'; \ +- $(INSTALL) tests/attr/* '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/attr'; \ ++ $(INSTALL) -m 644 tests/attr/* '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/attr'; \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell'; \ +- $(INSTALL) tests/shell/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell'; \ ++ $(INSTALL) -m 644 tests/shell/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell'; \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/lib'; \ +- $(INSTALL) tests/shell/lib/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/lib' ++ $(INSTALL) -m 644 tests/shell/lib/*.sh '$(DESTDIR_SQ)$(perfexec_instdir_SQ)/tests/shell/lib' + + install-bin: install-tools install-tests install-traceevent-plugins + diff --git a/debian/patches/debian/tools-perf-version.patch b/debian/patches/debian/tools-perf-version.patch new file mode 100644 index 000000000..6833bb7a7 --- /dev/null +++ b/debian/patches/debian/tools-perf-version.patch @@ -0,0 +1,119 @@ +From: Bastian Blank <waldi@debian.org> +Date: Mon, 26 Sep 2011 13:53:12 +0100 +Subject: Create manpages and binaries including the version +Forwarded: no + +[bwh: Fix version insertion in perf man page cross-references and perf +man page title. Install bash_completion script for perf with a +version-dependent name. And do the same for trace.] + +Index: linux/tools/perf/Makefile.perf +=================================================================== +--- linux.orig/tools/perf/Makefile.perf ++++ linux/tools/perf/Makefile.perf +@@ -759,23 +759,23 @@ endif + install-tools: all install-gtk + $(call QUIET_INSTALL, binaries) \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(bindir_SQ)'; \ +- $(INSTALL) $(OUTPUT)perf '$(DESTDIR_SQ)$(bindir_SQ)'; \ +- $(LN) '$(DESTDIR_SQ)$(bindir_SQ)/perf' '$(DESTDIR_SQ)$(bindir_SQ)/trace' ++ $(INSTALL) $(OUTPUT)perf '$(DESTDIR_SQ)$(bindir_SQ)/perf_$(VERSION)'; \ ++ $(LN) '$(DESTDIR_SQ)$(bindir_SQ)/perf_$(VERSION)' '$(DESTDIR_SQ)$(bindir_SQ)/trace_$(VERSION)' ++ $(call QUIET_INSTALL, libexec) \ ++ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)' + ifndef NO_PERF_READ_VDSO32 + $(call QUIET_INSTALL, perf-read-vdso32) \ +- $(INSTALL) $(OUTPUT)perf-read-vdso32 '$(DESTDIR_SQ)$(bindir_SQ)'; ++ $(INSTALL) $(OUTPUT)perf-read-vdso32 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)'; + endif + ifndef NO_PERF_READ_VDSOX32 + $(call QUIET_INSTALL, perf-read-vdsox32) \ +- $(INSTALL) $(OUTPUT)perf-read-vdsox32 '$(DESTDIR_SQ)$(bindir_SQ)'; ++ $(INSTALL) $(OUTPUT)perf-read-vdsox32 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)'; + endif + ifndef NO_JVMTI + $(call QUIET_INSTALL, $(LIBJVMTI)) \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(libdir_SQ)'; \ + $(INSTALL) $(OUTPUT)$(LIBJVMTI) '$(DESTDIR_SQ)$(libdir_SQ)'; + endif +- $(call QUIET_INSTALL, libexec) \ +- $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)' + ifndef NO_LIBBPF + $(call QUIET_INSTALL, bpf-headers) \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perf_include_instdir_SQ)/bpf'; \ +@@ -811,7 +811,7 @@ ifndef NO_LIBPYTHON + endif + $(call QUIET_INSTALL, perf_completion-script) \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d'; \ +- $(INSTALL) perf-completion.sh '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d/perf' ++ $(INSTALL) perf-completion.sh '$(DESTDIR_SQ)$(sysconfdir_SQ)/bash_completion.d/perf_$(VERSION)' + $(call QUIET_INSTALL, perf-tip) \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(tip_instdir_SQ)'; \ + $(INSTALL) Documentation/tips.txt -t '$(DESTDIR_SQ)$(tip_instdir_SQ)' +@@ -836,7 +836,7 @@ install-python_ext: + + # 'make install-doc' should call 'make -C Documentation install' + $(INSTALL_DOC_TARGETS): +- $(QUIET_SUBDIR0)Documentation $(QUIET_SUBDIR1) $(@:-doc=) ++ $(QUIET_SUBDIR0)Documentation $(QUIET_SUBDIR1) $(@:-doc=) VERSION=$(VERSION) + + ### Cleaning rules + +Index: linux/tools/perf/Documentation/Makefile +=================================================================== +--- linux.orig/tools/perf/Documentation/Makefile ++++ linux/tools/perf/Documentation/Makefile +@@ -194,14 +194,16 @@ ifdef missing_tools + $(error "You need to install $(missing_tools) for man pages") + endif + +-do-install-man: man ++do-install-man: $(addprefix install-man-,$(_DOC_MAN1)) ++ ++install-man-perf.1: $(OUTPUT)perf.1 ++ $(INSTALL) -d -m 755 $(DESTDIR)$(man1dir) ++ sed -e 's/"PERF"/"PERF_$(VERSION)"/' -e 's/fBperf-/fBperf_$(VERSION)-/g' $^ > $(DESTDIR)$(man1dir)/perf_$(VERSION).1 ++ ++install-man-perf%.1: $(OUTPUT)perf%.1 + $(call QUIET_INSTALL, Documentation-man) \ + $(INSTALL) -d -m 755 $(DESTDIR)$(man1dir); \ +-# $(INSTALL) -d -m 755 $(DESTDIR)$(man5dir); \ +-# $(INSTALL) -d -m 755 $(DESTDIR)$(man7dir); \ +- $(INSTALL) -m 644 $(DOC_MAN1) $(DESTDIR)$(man1dir); \ +-# $(INSTALL) -m 644 $(DOC_MAN5) $(DESTDIR)$(man5dir); \ +-# $(INSTALL) -m 644 $(DOC_MAN7) $(DESTDIR)$(man7dir) ++ sed -e 's/"PERF\\-/"PERF_$(VERSION)\\-/' -e 's/fBperf-/fBperf_$(VERSION)-/g' $^ > $(DESTDIR)$(man1dir)/perf_$(VERSION)$*.1 + + install-man: check-man-tools man do-install-man + +Index: linux/tools/perf/util/Build +=================================================================== +--- linux.orig/tools/perf/util/Build ++++ linux/tools/perf/util/Build +@@ -193,6 +193,7 @@ CFLAGS_libstring.o += -Wno-unused-pa + CFLAGS_hweight.o += -Wno-unused-parameter -DETC_PERFCONFIG="BUILD_STR($(ETC_PERFCONFIG_SQ))" + CFLAGS_parse-events.o += -Wno-redundant-decls + CFLAGS_header.o += -include $(OUTPUT)PERF-VERSION-FILE ++CFLAGS_vdso.o += -DPERFEXECDIR='"$(perfexec_instdir_SQ)"' + + $(OUTPUT)util/kallsyms.o: ../lib/symbol/kallsyms.c FORCE + $(call rule_mkdir) +Index: linux/tools/perf/util/vdso.c +=================================================================== +--- linux.orig/tools/perf/util/vdso.c ++++ linux/tools/perf/util/vdso.c +@@ -52,12 +52,12 @@ static struct vdso_info *vdso_info__new( + .vdso32 = { + .temp_file_name = VDSO__TEMP_FILE_NAME, + .dso_name = DSO__NAME_VDSO32, +- .read_prog = "perf-read-vdso32", ++ .read_prog = PERFEXECDIR "/perf-read-vdso32", + }, + .vdsox32 = { + .temp_file_name = VDSO__TEMP_FILE_NAME, + .dso_name = DSO__NAME_VDSOX32, +- .read_prog = "perf-read-vdsox32", ++ .read_prog = PERFEXECDIR "/perf-read-vdsox32", + }, + #endif + }; diff --git a/debian/patches/debian/uname-version-timestamp.patch b/debian/patches/debian/uname-version-timestamp.patch new file mode 100644 index 000000000..74cbebbde --- /dev/null +++ b/debian/patches/debian/uname-version-timestamp.patch @@ -0,0 +1,35 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: Make mkcompile_h accept an alternate timestamp string +Date: Tue, 12 May 2015 19:29:22 +0100 +Forwarded: not-needed + +We want to include the Debian version in the utsname::version string +instead of a full timestamp string. However, we still need to provide +a standard timestamp string for gen_initramfs_list.sh to make the +kernel image reproducible. + +Make mkcompile_h use $KBUILD_BUILD_VERSION_TIMESTAMP in preference to +$KBUILD_BUILD_TIMESTAMP. + +Index: linux/scripts/mkcompile_h +=================================================================== +--- linux.orig/scripts/mkcompile_h ++++ linux/scripts/mkcompile_h +@@ -33,10 +33,14 @@ else + VERSION=$KBUILD_BUILD_VERSION + fi + +-if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then +- TIMESTAMP=`date` ++if [ -z "$KBUILD_BUILD_VERSION_TIMESTAMP" ]; then ++ if [ -z "$KBUILD_BUILD_TIMESTAMP" ]; then ++ TIMESTAMP=`date` ++ else ++ TIMESTAMP=$KBUILD_BUILD_TIMESTAMP ++ fi + else +- TIMESTAMP=$KBUILD_BUILD_TIMESTAMP ++ TIMESTAMP=$KBUILD_BUILD_VERSION_TIMESTAMP + fi + if test -z "$KBUILD_BUILD_USER"; then + LINUX_COMPILE_BY=$(whoami | sed 's/\\/\\\\/') diff --git a/debian/patches/debian/version.patch b/debian/patches/debian/version.patch new file mode 100644 index 000000000..4447df7bb --- /dev/null +++ b/debian/patches/debian/version.patch @@ -0,0 +1,177 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: Include package version along with kernel release in stack traces +Date: Tue, 24 Jul 2012 03:13:10 +0100 +Forwarded: not-needed + +For distribution binary packages we assume +$DISTRIBUTION_OFFICIAL_BUILD, $DISTRIBUTOR and $DISTRIBUTION_VERSION +are set. + +Index: linux/Makefile +=================================================================== +--- linux.orig/Makefile ++++ linux/Makefile +@@ -1087,7 +1087,8 @@ endif + # that need to depend on updated CONFIG_* values can be checked here. + prepare2: prepare3 outputmakefile asm-generic + +-prepare1: prepare2 $(version_h) $(autoksyms_h) include/generated/utsrelease.h ++prepare1: prepare2 $(version_h) $(autoksyms_h) include/generated/utsrelease.h \ ++ include/generated/package.h + $(cmd_crmodverdir) + + archprepare: archheaders archscripts prepare1 scripts_basic +@@ -1139,6 +1140,16 @@ define filechk_version.h + echo '#define KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + (c))';) + endef + ++ifneq ($(DISTRIBUTION_OFFICIAL_BUILD),) ++define filechk_package.h ++ echo \#define LINUX_PACKAGE_ID \" $(DISTRIBUTOR) $(DISTRIBUTION_VERSION)\" ++endef ++else ++define filechk_package.h ++ echo \#define LINUX_PACKAGE_ID \"\" ++endef ++endif ++ + $(version_h): FORCE + $(call filechk,version.h) + $(Q)rm -f $(old_version_h) +@@ -1146,6 +1157,9 @@ $(version_h): FORCE + include/generated/utsrelease.h: include/config/kernel.release FORCE + $(call filechk,utsrelease.h) + ++include/generated/package.h: $(srctree)/Makefile FORCE ++ $(call filechk,package.h) ++ + PHONY += headerdep + headerdep: + $(Q)find $(srctree)/include/ -name '*.h' | xargs --max-args 1 \ +Index: linux/arch/x86/um/sysrq_64.c +=================================================================== +--- linux.orig/arch/x86/um/sysrq_64.c ++++ linux/arch/x86/um/sysrq_64.c +@@ -9,6 +9,7 @@ + #include <linux/sched.h> + #include <linux/sched/debug.h> + #include <linux/utsname.h> ++#include <generated/package.h> + #include <asm/current.h> + #include <asm/ptrace.h> + #include <asm/sysrq.h> +@@ -17,8 +18,9 @@ void show_regs(struct pt_regs *regs) + { + printk("\n"); + print_modules(); +- printk(KERN_INFO "Pid: %d, comm: %.20s %s %s\n", task_pid_nr(current), +- current->comm, print_tainted(), init_utsname()->release); ++ printk(KERN_INFO "Pid: %d, comm: %.20s %s %s%s\n", task_pid_nr(current), ++ current->comm, print_tainted(), init_utsname()->release, ++ LINUX_PACKAGE_ID); + printk(KERN_INFO "RIP: %04lx:[<%016lx>]\n", PT_REGS_CS(regs) & 0xffff, + PT_REGS_IP(regs)); + printk(KERN_INFO "RSP: %016lx EFLAGS: %08lx\n", PT_REGS_SP(regs), +Index: linux/arch/ia64/kernel/process.c +=================================================================== +--- linux.orig/arch/ia64/kernel/process.c ++++ linux/arch/ia64/kernel/process.c +@@ -34,6 +34,7 @@ + #include <linux/utsname.h> + #include <linux/tracehook.h> + #include <linux/rcupdate.h> ++#include <generated/package.h> + + #include <asm/cpu.h> + #include <asm/delay.h> +@@ -104,9 +105,9 @@ show_regs (struct pt_regs *regs) + print_modules(); + printk("\n"); + show_regs_print_info(KERN_DEFAULT); +- printk("psr : %016lx ifs : %016lx ip : [<%016lx>] %s (%s)\n", ++ printk("psr : %016lx ifs : %016lx ip : [<%016lx>] %s (%s%s)\n", + regs->cr_ipsr, regs->cr_ifs, ip, print_tainted(), +- init_utsname()->release); ++ init_utsname()->release, LINUX_PACKAGE_ID); + printk("ip is at %pS\n", (void *)ip); + printk("unat: %016lx pfs : %016lx rsc : %016lx\n", + regs->ar_unat, regs->ar_pfs, regs->ar_rsc); +Index: linux/arch/powerpc/kernel/process.c +=================================================================== +--- linux.orig/arch/powerpc/kernel/process.c ++++ linux/arch/powerpc/kernel/process.c +@@ -43,6 +43,7 @@ + #include <linux/uaccess.h> + #include <linux/elf-randomize.h> + #include <linux/pkeys.h> ++#include <generated/package.h> + + #include <asm/pgtable.h> + #include <asm/io.h> +@@ -1424,8 +1425,9 @@ void show_regs(struct pt_regs * regs) + + printk("NIP: "REG" LR: "REG" CTR: "REG"\n", + regs->nip, regs->link, regs->ctr); +- printk("REGS: %px TRAP: %04lx %s (%s)\n", +- regs, regs->trap, print_tainted(), init_utsname()->release); ++ printk("REGS: %px TRAP: %04lx %s (%s%s)\n", ++ regs, regs->trap, print_tainted(), init_utsname()->release, ++ LINUX_PACKAGE_ID); + printk("MSR: "REG" ", regs->msr); + print_msr_bits(regs->msr); + pr_cont(" CR: %08lx XER: %08lx\n", regs->ccr, regs->xer); +Index: linux/kernel/hung_task.c +=================================================================== +--- linux.orig/kernel/hung_task.c ++++ linux/kernel/hung_task.c +@@ -21,6 +21,7 @@ + #include <linux/sched/debug.h> + + #include <trace/events/sched.h> ++#include <generated/package.h> + + /* + * The number of tasks checked: +@@ -127,10 +128,11 @@ static void check_hung_task(struct task_ + sysctl_hung_task_warnings--; + pr_err("INFO: task %s:%d blocked for more than %ld seconds.\n", + t->comm, t->pid, timeout); +- pr_err(" %s %s %.*s\n", ++ pr_err(" %s %s %.*s%s\n", + print_tainted(), init_utsname()->release, + (int)strcspn(init_utsname()->version, " "), +- init_utsname()->version); ++ init_utsname()->version, ++ LINUX_PACKAGE_ID); + pr_err("\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\"" + " disables this message.\n"); + sched_show_task(t); +Index: linux/lib/dump_stack.c +=================================================================== +--- linux.orig/lib/dump_stack.c ++++ linux/lib/dump_stack.c +@@ -12,6 +12,7 @@ + #include <linux/atomic.h> + #include <linux/kexec.h> + #include <linux/utsname.h> ++#include <generated/package.h> + + static char dump_stack_arch_desc_str[128]; + +@@ -44,13 +45,14 @@ void __init dump_stack_set_arch_desc(con + */ + void dump_stack_print_info(const char *log_lvl) + { +- printk("%sCPU: %d PID: %d Comm: %.20s %s%s %s %.*s\n", ++ printk("%sCPU: %d PID: %d Comm: %.20s %s%s %s %.*s%s\n", + log_lvl, raw_smp_processor_id(), current->pid, current->comm, + kexec_crash_loaded() ? "Kdump: loaded " : "", + print_tainted(), + init_utsname()->release, + (int)strcspn(init_utsname()->version, " "), +- init_utsname()->version); ++ init_utsname()->version, ++ LINUX_PACKAGE_ID); + + if (dump_stack_arch_desc_str[0] != '\0') + printk("%sHardware name: %s\n", diff --git a/debian/patches/debian/wireless-add-debian-wireless-regdb-certificates.patch b/debian/patches/debian/wireless-add-debian-wireless-regdb-certificates.patch new file mode 100644 index 000000000..112683839 --- /dev/null +++ b/debian/patches/debian/wireless-add-debian-wireless-regdb-certificates.patch @@ -0,0 +1,963 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Fri, 13 Apr 2018 20:10:28 +0100 +Subject: wireless: Add Debian wireless-regdb certificates +Forwarded: not-needed + +This hex dump is generated using: + +{ + for cert in debian/certs/wireless-regdb-*.pem; do + openssl x509 -in $cert -outform der; + done +} | hexdump -v -e '1/1 "0x%.2x," "\n"' > net/wireless/certs/debian.hex + +--- +Index: linux/net/wireless/certs/debian.hex +=================================================================== +--- /dev/null ++++ linux/net/wireless/certs/debian.hex +@@ -0,0 +1,944 @@ ++0x30, ++0x82, ++0x03, ++0xac, ++0x30, ++0x82, ++0x02, ++0x94, ++0xa0, ++0x03, ++0x02, ++0x01, ++0x02, ++0x02, ++0x09, ++0x00, ++0xd9, ++0xb1, ++0xe4, ++0x6f, ++0x28, ++0xf3, ++0xd4, ++0x97, ++0x30, ++0x0d, ++0x06, ++0x09, ++0x2a, ++0x86, ++0x48, ++0x86, ++0xf7, ++0x0d, ++0x01, ++0x01, ++0x0b, ++0x05, ++0x00, ++0x30, ++0x6b, ++0x31, ++0x0b, ++0x30, ++0x09, ++0x06, ++0x03, ++0x55, ++0x04, ++0x06, ++0x13, ++0x02, ++0x47, ++0x42, ++0x31, ++0x13, ++0x30, ++0x11, ++0x06, ++0x03, ++0x55, ++0x04, ++0x07, ++0x0c, ++0x0a, ++0x4d, ++0x61, ++0x6e, ++0x63, ++0x68, ++0x65, ++0x73, ++0x74, ++0x65, ++0x72, ++0x31, ++0x0f, ++0x30, ++0x0d, ++0x06, ++0x03, ++0x55, ++0x04, ++0x0a, ++0x0c, ++0x06, ++0x44, ++0x65, ++0x62, ++0x69, ++0x61, ++0x6e, ++0x31, ++0x16, ++0x30, ++0x14, ++0x06, ++0x03, ++0x55, ++0x04, ++0x03, ++0x0c, ++0x0d, ++0x42, ++0x65, ++0x6e, ++0x20, ++0x48, ++0x75, ++0x74, ++0x63, ++0x68, ++0x69, ++0x6e, ++0x67, ++0x73, ++0x31, ++0x1e, ++0x30, ++0x1c, ++0x06, ++0x09, ++0x2a, ++0x86, ++0x48, ++0x86, ++0xf7, ++0x0d, ++0x01, ++0x09, ++0x01, ++0x16, ++0x0f, ++0x62, ++0x65, ++0x6e, ++0x68, ++0x40, ++0x64, ++0x65, ++0x62, ++0x69, ++0x61, ++0x6e, ++0x2e, ++0x6f, ++0x72, ++0x67, ++0x30, ++0x1e, ++0x17, ++0x0d, ++0x31, ++0x38, ++0x30, ++0x34, ++0x31, ++0x33, ++0x31, ++0x38, ++0x32, ++0x31, ++0x34, ++0x36, ++0x5a, ++0x17, ++0x0d, ++0x31, ++0x38, ++0x30, ++0x35, ++0x31, ++0x33, ++0x31, ++0x38, ++0x32, ++0x31, ++0x34, ++0x36, ++0x5a, ++0x30, ++0x6b, ++0x31, ++0x0b, ++0x30, ++0x09, ++0x06, ++0x03, ++0x55, ++0x04, ++0x06, ++0x13, ++0x02, ++0x47, ++0x42, ++0x31, ++0x13, ++0x30, ++0x11, ++0x06, ++0x03, ++0x55, ++0x04, ++0x07, ++0x0c, ++0x0a, ++0x4d, ++0x61, ++0x6e, ++0x63, ++0x68, ++0x65, ++0x73, ++0x74, ++0x65, ++0x72, ++0x31, ++0x0f, ++0x30, ++0x0d, ++0x06, ++0x03, ++0x55, ++0x04, ++0x0a, ++0x0c, ++0x06, ++0x44, ++0x65, ++0x62, ++0x69, ++0x61, ++0x6e, ++0x31, ++0x16, ++0x30, ++0x14, ++0x06, ++0x03, ++0x55, ++0x04, ++0x03, ++0x0c, ++0x0d, ++0x42, ++0x65, ++0x6e, ++0x20, ++0x48, ++0x75, ++0x74, ++0x63, ++0x68, ++0x69, ++0x6e, ++0x67, ++0x73, ++0x31, ++0x1e, ++0x30, ++0x1c, ++0x06, ++0x09, ++0x2a, ++0x86, ++0x48, ++0x86, ++0xf7, ++0x0d, ++0x01, ++0x09, ++0x01, ++0x16, ++0x0f, ++0x62, ++0x65, ++0x6e, ++0x68, ++0x40, ++0x64, ++0x65, ++0x62, ++0x69, ++0x61, ++0x6e, ++0x2e, ++0x6f, ++0x72, ++0x67, ++0x30, ++0x82, ++0x01, ++0x22, ++0x30, ++0x0d, ++0x06, ++0x09, ++0x2a, ++0x86, ++0x48, ++0x86, ++0xf7, ++0x0d, ++0x01, ++0x01, ++0x01, ++0x05, ++0x00, ++0x03, ++0x82, ++0x01, ++0x0f, ++0x00, ++0x30, ++0x82, ++0x01, ++0x0a, ++0x02, ++0x82, ++0x01, ++0x01, ++0x00, ++0x9d, ++0xe1, ++0x77, ++0xa0, ++0x24, ++0xa0, ++0xd5, ++0x79, ++0x65, ++0x3a, ++0x07, ++0x90, ++0xc9, ++0xf6, ++0xa5, ++0xa6, ++0x1f, ++0x84, ++0x1c, ++0x23, ++0x07, ++0x4b, ++0x4f, ++0xa5, ++0x03, ++0xc6, ++0x0f, ++0xf7, ++0x54, ++0xd5, ++0x8b, ++0x7e, ++0x79, ++0x81, ++0x00, ++0xd2, ++0xe9, ++0x3d, ++0xf4, ++0x97, ++0xfe, ++0x84, ++0xcd, ++0x55, ++0xbd, ++0xc9, ++0x8f, ++0x21, ++0x57, ++0x88, ++0x06, ++0x39, ++0x90, ++0x66, ++0x41, ++0x26, ++0x79, ++0x2c, ++0xca, ++0x3f, ++0x95, ++0x87, ++0x01, ++0x11, ++0x2f, ++0x2f, ++0xb0, ++0xe1, ++0x0b, ++0x43, ++0xfc, ++0x5f, ++0x2f, ++0x4f, ++0x67, ++0x04, ++0xdb, ++0x4d, ++0xb7, ++0x72, ++0x4d, ++0xd1, ++0xc5, ++0x76, ++0x73, ++0x4d, ++0x91, ++0x69, ++0xb0, ++0x71, ++0x17, ++0x36, ++0xea, ++0xab, ++0x0a, ++0x3a, ++0xcd, ++0x95, ++0x9b, ++0x76, ++0x1b, ++0x8e, ++0x21, ++0x17, ++0x8f, ++0xc5, ++0x02, ++0xbf, ++0x24, ++0xc7, ++0xc0, ++0x40, ++0xb1, ++0x3b, ++0xc4, ++0x80, ++0x7c, ++0x71, ++0xa5, ++0x51, ++0xdc, ++0xf7, ++0x3a, ++0x58, ++0x7f, ++0xb1, ++0x07, ++0x81, ++0x8a, ++0x10, ++0xd1, ++0xf6, ++0x93, ++0x17, ++0x71, ++0xe0, ++0xfa, ++0x51, ++0x79, ++0x15, ++0xd4, ++0xd7, ++0x8f, ++0xad, ++0xbd, ++0x6f, ++0x38, ++0xe1, ++0x26, ++0x7d, ++0xbc, ++0xf0, ++0x3e, ++0x80, ++0x89, ++0xb4, ++0xec, ++0x8e, ++0x69, ++0x90, ++0xdb, ++0x97, ++0x8a, ++0xf0, ++0x23, ++0x23, ++0x83, ++0x82, ++0x3b, ++0x6a, ++0xb1, ++0xac, ++0xeb, ++0xe7, ++0x99, ++0x74, ++0x2a, ++0x35, ++0x8e, ++0xa9, ++0x64, ++0xfd, ++0x46, ++0x9e, ++0xe8, ++0xe5, ++0x48, ++0x61, ++0x31, ++0x6e, ++0xe6, ++0xfc, ++0x19, ++0x18, ++0x54, ++0xc3, ++0x1b, ++0x4f, ++0xd6, ++0x00, ++0x44, ++0x87, ++0x1c, ++0x37, ++0x45, ++0xea, ++0xf5, ++0xc9, ++0xcb, ++0x0f, ++0x0c, ++0x55, ++0xec, ++0xcf, ++0x6a, ++0xc2, ++0x45, ++0x26, ++0x23, ++0xa2, ++0x31, ++0x52, ++0x4d, ++0xee, ++0x21, ++0x7d, ++0xfd, ++0x58, ++0x72, ++0xc2, ++0x28, ++0xc5, ++0x8e, ++0xa9, ++0xd0, ++0xee, ++0x01, ++0x77, ++0x08, ++0xa5, ++0xf0, ++0x22, ++0x2b, ++0x47, ++0x79, ++0x2b, ++0xcf, ++0x9a, ++0x46, ++0xb5, ++0x8f, ++0xfd, ++0x64, ++0xa2, ++0xb5, ++0xed, ++0x02, ++0x03, ++0x01, ++0x00, ++0x01, ++0xa3, ++0x53, ++0x30, ++0x51, ++0x30, ++0x1d, ++0x06, ++0x03, ++0x55, ++0x1d, ++0x0e, ++0x04, ++0x16, ++0x04, ++0x14, ++0xd3, ++0xfb, ++0x2d, ++0xdb, ++0xf0, ++0x8e, ++0xfa, ++0x67, ++0x6d, ++0x2f, ++0x21, ++0x99, ++0x4c, ++0xeb, ++0x41, ++0x59, ++0xe6, ++0x9d, ++0xd8, ++0xd5, ++0x30, ++0x1f, ++0x06, ++0x03, ++0x55, ++0x1d, ++0x23, ++0x04, ++0x18, ++0x30, ++0x16, ++0x80, ++0x14, ++0xd3, ++0xfb, ++0x2d, ++0xdb, ++0xf0, ++0x8e, ++0xfa, ++0x67, ++0x6d, ++0x2f, ++0x21, ++0x99, ++0x4c, ++0xeb, ++0x41, ++0x59, ++0xe6, ++0x9d, ++0xd8, ++0xd5, ++0x30, ++0x0f, ++0x06, ++0x03, ++0x55, ++0x1d, ++0x13, ++0x01, ++0x01, ++0xff, ++0x04, ++0x05, ++0x30, ++0x03, ++0x01, ++0x01, ++0xff, ++0x30, ++0x0d, ++0x06, ++0x09, ++0x2a, ++0x86, ++0x48, ++0x86, ++0xf7, ++0x0d, ++0x01, ++0x01, ++0x0b, ++0x05, ++0x00, ++0x03, ++0x82, ++0x01, ++0x01, ++0x00, ++0x71, ++0x71, ++0xe4, ++0xcd, ++0x40, ++0x84, ++0xf3, ++0x60, ++0x34, ++0x6a, ++0x78, ++0xdc, ++0xe7, ++0x81, ++0x20, ++0x8f, ++0x1e, ++0x7f, ++0x54, ++0x31, ++0x8e, ++0x4a, ++0xe5, ++0x69, ++0x91, ++0x1c, ++0x4c, ++0x77, ++0x00, ++0x47, ++0x09, ++0x98, ++0x91, ++0xf4, ++0x27, ++0x52, ++0x9a, ++0x2d, ++0x30, ++0x87, ++0x4c, ++0x51, ++0x51, ++0x1f, ++0xae, ++0xd8, ++0x8c, ++0xdb, ++0x3c, ++0x73, ++0x06, ++0x43, ++0xc6, ++0x1f, ++0x3a, ++0xba, ++0xaf, ++0x9e, ++0xd2, ++0xeb, ++0x3e, ++0x9f, ++0xd1, ++0xb2, ++0x8a, ++0xa2, ++0x16, ++0x08, ++0x26, ++0xa1, ++0x39, ++0x0c, ++0x63, ++0xe7, ++0x2d, ++0x78, ++0x9c, ++0xac, ++0x2c, ++0x4e, ++0x69, ++0xd5, ++0xa0, ++0xfd, ++0xbd, ++0xea, ++0x95, ++0xfe, ++0xe2, ++0x69, ++0x06, ++0xe1, ++0xb2, ++0x27, ++0x90, ++0x68, ++0xd8, ++0x3a, ++0xac, ++0xd6, ++0xa0, ++0x4e, ++0xe2, ++0x8a, ++0xfa, ++0xff, ++0x9c, ++0x98, ++0x6b, ++0x60, ++0x83, ++0xea, ++0xe7, ++0x46, ++0x24, ++0x09, ++0x21, ++0x12, ++0xa8, ++0xfe, ++0xaa, ++0x46, ++0x0d, ++0x24, ++0xa5, ++0xcf, ++0x52, ++0x37, ++0x48, ++0xb9, ++0xe2, ++0xb1, ++0xd6, ++0xb0, ++0xe4, ++0xbf, ++0x6f, ++0x59, ++0x7b, ++0x17, ++0x9e, ++0xdd, ++0x24, ++0x00, ++0xee, ++0xc6, ++0x89, ++0x76, ++0xe9, ++0x35, ++0x40, ++0x1f, ++0xeb, ++0x7d, ++0x23, ++0x8c, ++0xed, ++0x13, ++0x6c, ++0x66, ++0xbc, ++0xc4, ++0x88, ++0xb5, ++0x55, ++0x9a, ++0xec, ++0xbd, ++0x52, ++0x0d, ++0x0b, ++0xc5, ++0x40, ++0xe1, ++0xfe, ++0xb7, ++0x20, ++0xb1, ++0x22, ++0x16, ++0x32, ++0xed, ++0x28, ++0x3e, ++0x1f, ++0xbf, ++0xf2, ++0x00, ++0x12, ++0x75, ++0x92, ++0xd7, ++0x99, ++0x2e, ++0x25, ++0xfb, ++0xf2, ++0xe6, ++0xfd, ++0x2a, ++0x10, ++0xd1, ++0x75, ++0x89, ++0x31, ++0x52, ++0xe4, ++0xb2, ++0xc2, ++0xee, ++0xcd, ++0x41, ++0xa3, ++0x08, ++0x48, ++0x18, ++0x5e, ++0x66, ++0x42, ++0x67, ++0xcf, ++0x0b, ++0x2a, ++0x26, ++0x6b, ++0x65, ++0x87, ++0x4d, ++0xfa, ++0x04, ++0x51, ++0xec, ++0xed, ++0x03, ++0x8b, ++0x38, ++0x52, ++0x93, ++0x6d, ++0xc4, ++0x30, ++0x41, ++0x9a, ++0x6c, ++0x28, ++0x35, ++0xf0, ++0x87, ++0x15, ++0xce, ++0x78, ++0x4f, ++0x32, ++0xca, ++0x52, ++0xed, diff --git a/debian/patches/debian/wireless-disable-regulatory.db-direct-loading.patch b/debian/patches/debian/wireless-disable-regulatory.db-direct-loading.patch new file mode 100644 index 000000000..6815dc947 --- /dev/null +++ b/debian/patches/debian/wireless-disable-regulatory.db-direct-loading.patch @@ -0,0 +1,75 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Thu, 05 Apr 2018 18:13:52 +0200 +Subject: wireless: Disable regulatory.db direct loading +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/892229 + +Don't complain about being unable to load regulatory.db directly. +This is expected until we generate a signing key and update +wireless-regdb to be signed with it. + +Index: linux/net/wireless/reg.c +=================================================================== +--- linux.orig/net/wireless/reg.c ++++ linux/net/wireless/reg.c +@@ -476,6 +476,7 @@ static void reg_regdb_apply(struct work_ + + static DECLARE_WORK(reg_regdb_work, reg_regdb_apply); + ++#if 0 + static int reg_schedule_apply(const struct ieee80211_regdomain *regdom) + { + struct reg_regdb_apply_request *request; +@@ -495,6 +496,7 @@ static int reg_schedule_apply(const stru + schedule_work(®_regdb_work); + return 0; + } ++#endif + + #ifdef CONFIG_CFG80211_CRDA_SUPPORT + /* Max number of consecutive attempts to communicate with CRDA */ +@@ -574,6 +576,35 @@ static inline int call_crda(const char * + /* code to directly load a firmware database through request_firmware */ + static const struct fwdb_header *regdb; + ++#if 1 ++ ++static int load_builtin_regdb_keys(void) ++{ ++ return 0; ++} ++ ++static void free_regdb_keyring(void) ++{ ++} ++ ++static int query_regdb_file(const char *alpha2) ++{ ++ return -ENOENT; ++} ++ ++int reg_reload_regdb(void) ++{ ++ return -ENOENT; ++} ++ ++int reg_query_regdb_wmm(char *alpha2, int freq, struct ieee80211_reg_rule *rule) ++{ ++ return -ENODATA; ++} ++EXPORT_SYMBOL(reg_query_regdb_wmm); ++ ++#else /* disabled until we update wireless-regdb */ ++ + struct fwdb_country { + u8 alpha2[2]; + __be16 coll_ptr; +@@ -1090,6 +1121,8 @@ int reg_reload_regdb(void) + return err; + } + ++#endif ++ + static bool reg_query_database(struct regulatory_request *request) + { + if (query_regdb_file(request->alpha2) == 0) diff --git a/debian/patches/debian/yama-disable-by-default.patch b/debian/patches/debian/yama-disable-by-default.patch new file mode 100644 index 000000000..f35a598ae --- /dev/null +++ b/debian/patches/debian/yama-disable-by-default.patch @@ -0,0 +1,28 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: yama: Disable by default +Date: Wed, 19 Jun 2013 04:35:28 +0100 +Bug-Debian: https://bugs.debian.org/712740 +Forwarded: not-needed + +Index: linux/security/yama/yama_lsm.c +=================================================================== +--- linux.orig/security/yama/yama_lsm.c ++++ linux/security/yama/yama_lsm.c +@@ -28,7 +28,7 @@ + #define YAMA_SCOPE_CAPABILITY 2 + #define YAMA_SCOPE_NO_ATTACH 3 + +-static int ptrace_scope = YAMA_SCOPE_RELATIONAL; ++static int ptrace_scope = YAMA_SCOPE_DISABLED; + + /* describe a ptrace relationship for potential exception */ + struct ptrace_relation { +@@ -481,7 +481,7 @@ static inline void yama_init_sysctl(void + + void __init yama_add_hooks(void) + { +- pr_info("Yama: becoming mindful.\n"); ++ pr_info("Yama: disabled by default; enable with sysctl kernel.yama.*\n"); + security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama"); + yama_init_sysctl(); + } |