diff options
Diffstat (limited to 'debian/patches/debian')
43 files changed, 3323 insertions, 0 deletions
diff --git a/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch b/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch new file mode 100644 index 000000000..205510d6b --- /dev/null +++ b/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch @@ -0,0 +1,101 @@ +From: Serge Hallyn <serge.hallyn@canonical.com> +Date: Fri, 31 May 2013 19:12:12 +0000 (+0100) +Subject: add sysctl to disallow unprivileged CLONE_NEWUSER by default +Origin: http://kernel.ubuntu.com/git?p=serge%2Fubuntu-saucy.git;a=commit;h=5c847404dcb2e3195ad0057877e1422ae90892b8 + +add sysctl to disallow unprivileged CLONE_NEWUSER by default + +This is a short-term patch. Unprivileged use of CLONE_NEWUSER +is certainly an intended feature of user namespaces. However +for at least saucy we want to make sure that, if any security +issues are found, we have a fail-safe. + +Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> +[bwh: Remove unneeded binary sysctl bits] +[bwh: Keep this sysctl, but change the default to enabled] +--- +Index: linux/kernel/fork.c +=================================================================== +--- linux.orig/kernel/fork.c ++++ linux/kernel/fork.c +@@ -108,6 +108,11 @@ + + #define CREATE_TRACE_POINTS + #include <trace/events/task.h> ++#ifdef CONFIG_USER_NS ++extern int unprivileged_userns_clone; ++#else ++#define unprivileged_userns_clone 0 ++#endif + + /* + * Minimum number of threads to boot the kernel +@@ -2008,6 +2013,10 @@ static __latent_entropy struct task_stru + if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS)) + return ERR_PTR(-EINVAL); + ++ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) ++ if (!capable(CAP_SYS_ADMIN)) ++ return ERR_PTR(-EPERM); ++ + /* + * Thread groups must share signals as well, and detached threads + * can only be started up within the thread group. +@@ -3166,6 +3175,12 @@ int ksys_unshare(unsigned long unshare_f + if (unshare_flags & CLONE_NEWNS) + unshare_flags |= CLONE_FS; + ++ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) { ++ err = -EPERM; ++ if (!capable(CAP_SYS_ADMIN)) ++ goto bad_unshare_out; ++ } ++ + err = check_unshare_flags(unshare_flags); + if (err) + goto bad_unshare_out; +Index: linux/kernel/sysctl.c +=================================================================== +--- linux.orig/kernel/sysctl.c ++++ linux/kernel/sysctl.c +@@ -136,6 +136,10 @@ static enum sysctl_writes_mode sysctl_wr + int sysctl_legacy_va_layout; + #endif + ++#ifdef CONFIG_USER_NS ++extern int unprivileged_userns_clone; ++#endif ++ + #endif /* CONFIG_SYSCTL */ + + /* +@@ -1659,6 +1663,15 @@ static struct ctl_table kern_table[] = { + .mode = 0644, + .proc_handler = proc_dointvec, + }, ++#ifdef CONFIG_USER_NS ++ { ++ .procname = "unprivileged_userns_clone", ++ .data = &unprivileged_userns_clone, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec, ++ }, ++#endif + #ifdef CONFIG_PROC_SYSCTL + { + .procname = "tainted", +Index: linux/kernel/user_namespace.c +=================================================================== +--- linux.orig/kernel/user_namespace.c ++++ linux/kernel/user_namespace.c +@@ -22,6 +22,9 @@ + #include <linux/bsearch.h> + #include <linux/sort.h> + ++/* sysctl */ ++int unprivileged_userns_clone = 1; ++ + static struct kmem_cache *user_ns_cachep __read_mostly; + static DEFINE_MUTEX(userns_state_mutex); + diff --git a/debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch b/debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch new file mode 100644 index 000000000..3b33f845a --- /dev/null +++ b/debian/patches/debian/af_802154-Disable-auto-loading-as-mitigation-against.patch @@ -0,0 +1,29 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Fri, 19 Nov 2010 02:12:48 +0000 +Subject: [PATCH 2/3] af_802154: Disable auto-loading as mitigation against local exploits +Forwarded: not-needed + +Recent review has revealed several bugs in obscure protocol +implementations that can be exploited by local users for denial of +service or privilege escalation. We can mitigate the effect of any +remaining vulnerabilities in such protocols by preventing unprivileged +users from loading the modules, so that they are only exploitable on +systems where the administrator has chosen to load the protocol. + +The 'af_802154' (IEEE 802.15.4) protocol is not widely used, was +not present in the 'lenny' kernel, and seems to receive only sporadic +maintenance. Therefore disable auto-loading. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/ieee802154/socket.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +--- a/net/ieee802154/socket.c ++++ b/net/ieee802154/socket.c +@@ -1122,4 +1122,4 @@ module_init(af_ieee802154_init); + module_exit(af_ieee802154_remove); + + MODULE_LICENSE("GPL"); +-MODULE_ALIAS_NETPROTO(PF_IEEE802154); ++/* MODULE_ALIAS_NETPROTO(PF_IEEE802154); */ diff --git a/debian/patches/debian/android-enable-building-ashmem-and-binder-as-modules.patch b/debian/patches/debian/android-enable-building-ashmem-and-binder-as-modules.patch new file mode 100644 index 000000000..8a565c6c0 --- /dev/null +++ b/debian/patches/debian/android-enable-building-ashmem-and-binder-as-modules.patch @@ -0,0 +1,62 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Fri, 22 Jun 2018 17:27:00 +0100 +Subject: android: Enable building ashmem and binder as modules +Bug-Debian: https://bugs.debian.org/901492 + +We want to enable use of the Android ashmem and binder drivers to +support Anbox, but they should not be built-in as that would waste +resources and increase security attack surface on systems that don't +need them. + +- Add a MODULE_LICENSE declaration to ashmem +- Change the Makefiles to build each driver as an object with the + "_linux" suffix (which is what Anbox expects) +- Change config symbol types to tristate + +Update: +In upstream commit 721412ed3d titled "staging: remove ashmem" the ashmem +driver was removed entirely. Secondary commit message: +"The mainline replacement for ashmem is memfd, so remove the legacy +code from drivers/staging/" +Consequently, the ashmem part of this patch has been removed. +--- + drivers/android/Kconfig | 2 +- + drivers/android/Makefile | 7 ++++--- + drivers/android/binder_alloc.c | 2 +- + 3 files changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/android/Kconfig ++++ b/drivers/android/Kconfig +@@ -2,7 +2,7 @@ + menu "Android" + + config ANDROID_BINDER_IPC +- bool "Android Binder IPC Driver" ++ tristate "Android Binder IPC Driver" + depends on MMU + default n + help +--- a/drivers/android/Makefile ++++ b/drivers/android/Makefile +@@ -1,6 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0-only + ccflags-y += -I$(src) # needed for trace events + +-obj-$(CONFIG_ANDROID_BINDERFS) += binderfs.o +-obj-$(CONFIG_ANDROID_BINDER_IPC) += binder.o binder_alloc.o +-obj-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o ++obj-$(CONFIG_ANDROID_BINDER_IPC) += binder_linux.o ++binder_linux-y := binder.o binder_alloc.o ++binder_linux-$(CONFIG_ANDROID_BINDERFS) += binderfs.o ++binder_linux-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -38,7 +38,7 @@ enum { + }; + static uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR; + +-module_param_named(debug_mask, binder_alloc_debug_mask, ++module_param_named(alloc_debug_mask, binder_alloc_debug_mask, + uint, 0644); + + #define binder_alloc_debug(mask, x...) \ diff --git a/debian/patches/debian/arch-sh4-fix-uimage-build.patch b/debian/patches/debian/arch-sh4-fix-uimage-build.patch new file mode 100644 index 000000000..89e626b6b --- /dev/null +++ b/debian/patches/debian/arch-sh4-fix-uimage-build.patch @@ -0,0 +1,26 @@ +From: Nobuhiro Iwamatsu <iwamatsu@nigauri.org> +Subject: [sh4] Fix uImage build +Bug-Debian: https://bugs.debian.org/569034 +Forwarded: not-needed + +[bwh: This was added without a description, but I think it is done + only to avoid a build-dependency on u-boot-tools.] +--- + arch/sh/Makefile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/sh/Makefile b/arch/sh/Makefile +index da9cf952f33c..974bbd9dcfcf 100644 +--- a/arch/sh/Makefile ++++ b/arch/sh/Makefile +@@ -85,7 +85,6 @@ OBJCOPYFLAGS := -O binary -R .note -R .note.gnu.build-id -R .comment \ + + # Give the various platforms the opportunity to set default image types + defaultimage-y := zImage +-defaultimage-$(CONFIG_SH_SH7785LCR) := uImage + defaultimage-$(CONFIG_SH_RSK) := uImage + defaultimage-$(CONFIG_SH_URQUELL) := uImage + defaultimage-$(CONFIG_SH_MIGOR) := uImage +-- +2.27.0 + diff --git a/debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch b/debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch new file mode 100644 index 000000000..9f21e0705 --- /dev/null +++ b/debian/patches/debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch @@ -0,0 +1,35 @@ +From: Adam Borowski <kilobyte@angband.pl> +Date: Tue, 28 Mar 2017 16:55:05 +0200 +Subject: btrfs: warn about RAID5/6 being experimental at mount time +Bug-Debian: https://bugs.debian.org/863290 +Origin: https://bugs.debian.org/863290#5 + +Too many people come complaining about losing their data -- and indeed, +there's no warning outside a wiki and the mailing list tribal knowledge. +Message severity chosen for consistency with XFS -- "alert" makes dmesg +produce nice red background which should get the point across. + +Signed-off-by: Adam Borowski <kilobyte@angband.pl> +[bwh: Also add_taint() so this is flagged in bug reports] +--- + fs/btrfs/disk-io.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -3060,6 +3060,15 @@ retry_root_backup: + btrfs_set_and_info(fs_info, SSD, "enabling ssd optimizations"); + } + ++ if ((fs_info->avail_data_alloc_bits | ++ fs_info->avail_metadata_alloc_bits | ++ fs_info->avail_system_alloc_bits) & ++ BTRFS_BLOCK_GROUP_RAID56_MASK) { ++ btrfs_alert(fs_info, ++ "btrfs RAID5/6 is EXPERIMENTAL and has known data-loss bugs"); ++ add_taint(TAINT_AUX, LOCKDEP_STILL_OK); ++ } ++ + /* + * Mount does not set all options immediately, we can do it now and do + * not have to wait for transaction commit diff --git a/debian/patches/debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch b/debian/patches/debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch new file mode 100644 index 000000000..70b446860 --- /dev/null +++ b/debian/patches/debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch @@ -0,0 +1,27 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: cdc_ncm,cdc_mbim: Use NCM by default +Date: Sun, 31 Mar 2013 03:58:04 +0100 +Forwarded: not-needed + +Devices that support both NCM and MBIM modes should be kept in NCM +mode unless there is userland support for MBIM. + +Set the default value of cdc_ncm.prefer_mbim to false and leave it to +userland (modem-manager) to override this with a modprobe.conf file +once it's ready to speak MBIM. + +--- +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -53,11 +53,7 @@ + #include <linux/usb/cdc.h> + #include <linux/usb/cdc_ncm.h> + +-#if IS_ENABLED(CONFIG_USB_NET_CDC_MBIM) +-static bool prefer_mbim = true; +-#else + static bool prefer_mbim; +-#endif + module_param(prefer_mbim, bool, 0644); + MODULE_PARM_DESC(prefer_mbim, "Prefer MBIM setting on dual NCM/MBIM functions"); + diff --git a/debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch b/debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch new file mode 100644 index 000000000..83583184e --- /dev/null +++ b/debian/patches/debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch @@ -0,0 +1,41 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Thu, 16 Feb 2017 19:09:17 +0000 +Subject: dccp: Disable auto-loading as mitigation against local exploits +Forwarded: not-needed + +We can mitigate the effect of vulnerabilities in obscure protocols by +preventing unprivileged users from loading the modules, so that they +are only exploitable on systems where the administrator has chosen to +load the protocol. + +The 'dccp' protocol is not actively maintained or widely used. +Therefore disable auto-loading. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -1071,8 +1071,8 @@ module_exit(dccp_v4_exit); + * values directly, Also cover the case where the protocol is not specified, + * i.e. net-pf-PF_INET-proto-0-type-SOCK_DCCP + */ +-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6); +-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6); ++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 33, 6); */ ++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 0, 6); */ + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>"); + MODULE_DESCRIPTION("DCCP - Datagram Congestion Controlled Protocol"); +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -1125,8 +1125,8 @@ module_exit(dccp_v6_exit); + * values directly, Also cover the case where the protocol is not specified, + * i.e. net-pf-PF_INET6-proto-0-type-SOCK_DCCP + */ +-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6); +-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6); ++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 33, 6); */ ++/* MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET6, 0, 6); */ + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Arnaldo Carvalho de Melo <acme@mandriva.com>"); + MODULE_DESCRIPTION("DCCPv6 - Datagram Congestion Controlled Protocol"); diff --git a/debian/patches/debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch b/debian/patches/debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch new file mode 100644 index 000000000..0e5176908 --- /dev/null +++ b/debian/patches/debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch @@ -0,0 +1,29 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Mon, 13 Apr 2009 17:34:00 +0100 +Subject: Remove microcode patches for mgsuvd (not enabled in Debian configs) +Forwarded: not-needed + +diff --git a/arch/powerpc/platforms/8xx/Kconfig b/arch/powerpc/platforms/8xx/Kconfig +index 48a920a..81570b6 100644 +--- a/arch/powerpc/platforms/8xx/Kconfig ++++ b/arch/powerpc/platforms/8xx/Kconfig +@@ -160,16 +160,19 @@ config NO_UCODE_PATCH + + config USB_SOF_UCODE_PATCH + bool "USB SOF patch" ++ depends on BROKEN + help + Help not implemented yet, coming soon. + + config I2C_SPI_UCODE_PATCH + bool "I2C/SPI relocation patch" ++ depends on BROKEN + help + Help not implemented yet, coming soon. + + config I2C_SPI_SMC1_UCODE_PATCH + bool "I2C/SPI/SMC1 relocation patch" ++ depends on BROKEN + help + Help not implemented yet, coming soon. + diff --git a/debian/patches/debian/dfsg/documentation-fix-broken-link-to-cipso-draft.patch b/debian/patches/debian/dfsg/documentation-fix-broken-link-to-cipso-draft.patch new file mode 100644 index 000000000..840cf24d7 --- /dev/null +++ b/debian/patches/debian/dfsg/documentation-fix-broken-link-to-cipso-draft.patch @@ -0,0 +1,18 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Sat, 24 Aug 2019 19:00:41 +0100 +Subject: Documentation: Fix broken link to CIPSO draft +Forwarded: not-needed + +We exclude the CIPSO draft text as its licence is not DFSG compliant. +Link to the IETF's online version instead. + +--- +--- a/Documentation/netlabel/draft_ietf.rst ++++ b/Documentation/netlabel/draft_ietf.rst +@@ -1,5 +1,4 @@ + Draft IETF CIPSO IP Security + ---------------------------- + +- .. include:: draft-ietf-cipso-ipsecurity-01.txt +- :literal: ++https://tools.ietf.org/html/draft-ietf-cipso-ipsecurity-01 diff --git a/debian/patches/debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch b/debian/patches/debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch new file mode 100644 index 000000000..4e42da9a9 --- /dev/null +++ b/debian/patches/debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch @@ -0,0 +1,15 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Mon, 17 Aug 2009 02:45:41 +0100 +Subject: dvb-usb-af9005: mark as broken +Forwarded: not-needed + +--- a/drivers/media/usb/dvb-usb/Kconfig ++++ b/drivers/media/usb/dvb-usb/Kconfig +@@ -227,6 +227,7 @@ config DVB_USB_OPERA1 + + config DVB_USB_AF9005 + tristate "Afatech AF9005 DVB-T USB1.1 support" ++ depends on BROKEN + depends on DVB_USB + select MEDIA_TUNER_MT2060 if MEDIA_SUBDRV_AUTOSELECT + select MEDIA_TUNER_QT1010 if MEDIA_SUBDRV_AUTOSELECT diff --git a/debian/patches/debian/dfsg/drivers-net-appletalk-cops.patch b/debian/patches/debian/dfsg/drivers-net-appletalk-cops.patch new file mode 100644 index 000000000..3bf7ca6b3 --- /dev/null +++ b/debian/patches/debian/dfsg/drivers-net-appletalk-cops.patch @@ -0,0 +1,55 @@ +From: Frederik Schüler <fs@debian.org> +Date: Fri, 05 Jan 2007 15:55:24 +0000 +Subject: Add removal patches for: 3c359, smctr, keyspan, cops +Forwarded: not-needed + +--- + drivers/net/appletalk/Kconfig | 26 -------------------------- + drivers/net/appletalk/Makefile | 1 - + 2 files changed, 27 deletions(-) + +--- a/drivers/net/appletalk/Kconfig ++++ b/drivers/net/appletalk/Kconfig +@@ -39,35 +39,6 @@ config DEV_APPLETALK + connect to the AppleTalk network, say Y. + + +-config COPS +- tristate "COPS LocalTalk PC support" +- depends on DEV_APPLETALK && ISA +- depends on NETDEVICES +- select NETDEV_LEGACY_INIT +- help +- This allows you to use COPS AppleTalk cards to connect to LocalTalk +- networks. You also need version 1.3.3 or later of the netatalk +- package. This driver is experimental, which means that it may not +- work. This driver will only work if you choose "AppleTalk DDP" +- networking support, above. +- Please read the file +- <file:Documentation/networking/device_drivers/appletalk/cops.rst>. +- +-config COPS_DAYNA +- bool "Dayna firmware support" +- depends on COPS +- help +- Support COPS compatible cards with Dayna style firmware (Dayna +- DL2000/ Daynatalk/PC (half length), COPS LT-95, Farallon PhoneNET PC +- III, Farallon PhoneNET PC II). +- +-config COPS_TANGENT +- bool "Tangent firmware support" +- depends on COPS +- help +- Support COPS compatible cards with Tangent style firmware (Tangent +- ATB_II, Novell NL-1000, Daystar Digital LT-200. +- + config IPDDP + tristate "Appletalk-IP driver support" + depends on DEV_APPLETALK && ATALK +--- a/drivers/net/appletalk/Makefile ++++ b/drivers/net/appletalk/Makefile +@@ -4,4 +4,3 @@ + # + + obj-$(CONFIG_IPDDP) += ipddp.o +-obj-$(CONFIG_COPS) += cops.o diff --git a/debian/patches/debian/dfsg/video-remove-nvidiafb-and-rivafb.patch b/debian/patches/debian/dfsg/video-remove-nvidiafb-and-rivafb.patch new file mode 100644 index 000000000..4adc90c2d --- /dev/null +++ b/debian/patches/debian/dfsg/video-remove-nvidiafb-and-rivafb.patch @@ -0,0 +1,128 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Sat, 2 Jun 2012 19:53:38 +0100 +Subject: video: Remove nvidiafb and rivafb +Bug-Debian: https://bugs.debian.org/383481 +Forwarded: no + +These drivers contain register programming code provided by the +hardware vendor that appears to have been deliberately obfuscated. +This is arguably not the preferred form for modification. + +These drivers are also largely redundant with nouveau. The RIVA 128 +(NV3) is not supported by nouveau but is about 15 years old and +probably discontinued 10 years ago. + +--- +--- a/drivers/video/fbdev/Kconfig ++++ b/drivers/video/fbdev/Kconfig +@@ -866,99 +866,6 @@ config FB_ATMEL + help + This enables support for the AT91 LCD Controller. + +-config FB_NVIDIA +- tristate "nVidia Framebuffer Support" +- depends on FB && PCI +- select FB_BACKLIGHT if FB_NVIDIA_BACKLIGHT +- select FB_MODE_HELPERS +- select FB_CFB_FILLRECT +- select FB_CFB_COPYAREA +- select FB_CFB_IMAGEBLIT +- select BITREVERSE +- select VGASTATE +- help +- This driver supports graphics boards with the nVidia chips, TNT +- and newer. For very old chipsets, such as the RIVA128, then use +- the rivafb. +- Say Y if you have such a graphics board. +- +- To compile this driver as a module, choose M here: the +- module will be called nvidiafb. +- +-config FB_NVIDIA_I2C +- bool "Enable DDC Support" +- depends on FB_NVIDIA +- select FB_DDC +- help +- This enables I2C support for nVidia Chipsets. This is used +- only for getting EDID information from the attached display +- allowing for robust video mode handling and switching. +- +- Because fbdev-2.6 requires that drivers must be able to +- independently validate video mode parameters, you should say Y +- here. +- +-config FB_NVIDIA_DEBUG +- bool "Lots of debug output" +- depends on FB_NVIDIA +- help +- Say Y here if you want the nVidia driver to output all sorts +- of debugging information to provide to the maintainer when +- something goes wrong. +- +-config FB_NVIDIA_BACKLIGHT +- bool "Support for backlight control" +- depends on FB_NVIDIA +- default y +- help +- Say Y here if you want to control the backlight of your display. +- +-config FB_RIVA +- tristate "nVidia Riva support" +- depends on FB && PCI +- select FB_BACKLIGHT if FB_RIVA_BACKLIGHT +- select FB_MODE_HELPERS +- select FB_CFB_FILLRECT +- select FB_CFB_COPYAREA +- select FB_CFB_IMAGEBLIT +- select BITREVERSE +- select VGASTATE +- help +- This driver supports graphics boards with the nVidia Riva/Geforce +- chips. +- Say Y if you have such a graphics board. +- +- To compile this driver as a module, choose M here: the +- module will be called rivafb. +- +-config FB_RIVA_I2C +- bool "Enable DDC Support" +- depends on FB_RIVA +- select FB_DDC +- help +- This enables I2C support for nVidia Chipsets. This is used +- only for getting EDID information from the attached display +- allowing for robust video mode handling and switching. +- +- Because fbdev-2.6 requires that drivers must be able to +- independently validate video mode parameters, you should say Y +- here. +- +-config FB_RIVA_DEBUG +- bool "Lots of debug output" +- depends on FB_RIVA +- help +- Say Y here if you want the Riva driver to output all sorts +- of debugging information to provide to the maintainer when +- something goes wrong. +- +-config FB_RIVA_BACKLIGHT +- bool "Support for backlight control" +- depends on FB_RIVA +- default y +- help +- Say Y here if you want to control the backlight of your display. +- + config FB_I740 + tristate "Intel740 support" + depends on FB && PCI +--- a/drivers/video/fbdev/Makefile ++++ b/drivers/video/fbdev/Makefile +@@ -21,8 +21,6 @@ obj-$(CONFIG_FB_PM3) += pm3fb.o + + obj-$(CONFIG_FB_I740) += i740fb.o + obj-$(CONFIG_FB_MATROX) += matrox/ +-obj-$(CONFIG_FB_RIVA) += riva/ +-obj-$(CONFIG_FB_NVIDIA) += nvidia/ + obj-$(CONFIG_FB_ATY) += aty/ macmodes.o + obj-$(CONFIG_FB_ATY128) += aty/ macmodes.o + obj-$(CONFIG_FB_RADEON) += aty/ diff --git a/debian/patches/debian/dfsg/vs6624-disable.patch b/debian/patches/debian/dfsg/vs6624-disable.patch new file mode 100644 index 000000000..182be87d3 --- /dev/null +++ b/debian/patches/debian/dfsg/vs6624-disable.patch @@ -0,0 +1,19 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Sun, 27 May 2012 01:56:58 +0100 +Subject: vs6624: mark as broken +Forwarded: not-needed + +--- + drivers/media/i2c/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/i2c/Kconfig ++++ b/drivers/media/i2c/Kconfig +@@ -754,6 +754,7 @@ config VIDEO_SR030PC30 + This driver supports SR030PC30 VGA camera from Siliconfile + + config VIDEO_VS6624 ++ depends on BROKEN + tristate "ST VS6624 sensor support" + depends on VIDEO_DEV && I2C + help diff --git a/debian/patches/debian/documentation-drop-sphinx-version-check.patch b/debian/patches/debian/documentation-drop-sphinx-version-check.patch new file mode 100644 index 000000000..14f0ee40b --- /dev/null +++ b/debian/patches/debian/documentation-drop-sphinx-version-check.patch @@ -0,0 +1,47 @@ +From 252aa79fdbd4ac2da09d9b98f81bf11f5e3e1870 Mon Sep 17 00:00:00 2001 +From: Bastian Blank <waldi@debian.org> +Date: Tue, 4 Aug 2020 09:44:19 +0000 +Subject: [PATCH 1/2] Documentation: Drop sphinx version check +Forwarded: not-needed + +--- + Documentation/Makefile | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/Documentation/Makefile ++++ b/Documentation/Makefile +@@ -92,14 +92,12 @@ quiet_cmd_sphinx = SPHINX $@ --> file:/ + fi + + htmldocs: +- @$(srctree)/scripts/sphinx-pre-install --version-check + @+$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,html,$(var),,$(var))) + + linkcheckdocs: + @$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,linkcheck,$(var),,$(var))) + + latexdocs: +- @$(srctree)/scripts/sphinx-pre-install --version-check + @+$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,latex,$(var),latex,$(var))) + + ifeq ($(HAVE_PDFLATEX),0) +@@ -111,7 +109,6 @@ pdfdocs: + else # HAVE_PDFLATEX + + pdfdocs: latexdocs +- @$(srctree)/scripts/sphinx-pre-install --version-check + $(foreach var,$(SPHINXDIRS), \ + $(MAKE) PDFLATEX="$(PDFLATEX)" LATEXOPTS="$(LATEXOPTS)" -C $(BUILDDIR)/$(var)/latex || exit; \ + mkdir -p $(BUILDDIR)/$(var)/pdf; \ +@@ -121,11 +118,9 @@ pdfdocs: latexdocs + endif # HAVE_PDFLATEX + + epubdocs: +- @$(srctree)/scripts/sphinx-pre-install --version-check + @+$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,epub,$(var),epub,$(var))) + + xmldocs: +- @$(srctree)/scripts/sphinx-pre-install --version-check + @+$(foreach var,$(SPHINXDIRS),$(call loop_cmd,sphinx,xml,$(var),xml,$(var))) + + endif # HAVE_SPHINX diff --git a/debian/patches/debian/export-symbols-needed-by-android-drivers.patch b/debian/patches/debian/export-symbols-needed-by-android-drivers.patch new file mode 100644 index 000000000..860812230 --- /dev/null +++ b/debian/patches/debian/export-symbols-needed-by-android-drivers.patch @@ -0,0 +1,113 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Mon, 07 Sep 2020 02:51:53 +0100 +Subject: Export symbols needed by Android drivers +Bug-Debian: https://bugs.debian.org/901492 + +We want to enable use of the Android ashmem and binder drivers to +support Anbox, but they should not be built-in as that would waste +resources and increase security attack surface on systems that don't +need them. + +Export the currently un-exported symbols they depend on. + +--- + fs/file.c | 1 + + kernel/sched/core.c | 1 + + kernel/sched/wait.c | 1 + + kernel/task_work.c | 1 + + mm/memory.c | 1 + + mm/shmem.c | 1 + + security/security.c | 4 ++++ + 7 files changed, 10 insertions(+) + +--- a/fs/file.c ++++ b/fs/file.c +@@ -813,6 +813,7 @@ struct file *close_fd_get_file(unsigned + + return file; + } ++EXPORT_SYMBOL_GPL(close_fd_get_file); + + void do_close_on_exec(struct files_struct *files) + { +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -7052,6 +7052,7 @@ static bool is_nice_reduction(const stru + + return (nice_rlim <= task_rlimit(p, RLIMIT_NICE)); + } ++EXPORT_SYMBOL_GPL(can_nice); + + /* + * can_nice - check if a task can reduce its nice value +--- a/kernel/sched/wait.c ++++ b/kernel/sched/wait.c +@@ -243,6 +243,7 @@ void __wake_up_pollfree(struct wait_queu + /* POLLFREE must have cleared the queue. */ + WARN_ON_ONCE(waitqueue_active(wq_head)); + } ++EXPORT_SYMBOL_GPL(__wake_up_pollfree); + + /* + * Note: we use "set_current_state()" _after_ the wait-queue add, +--- a/kernel/task_work.c ++++ b/kernel/task_work.c +@@ -73,6 +73,7 @@ int task_work_add(struct task_struct *ta + + return 0; + } ++EXPORT_SYMBOL_GPL(task_work_add); + + /** + * task_work_cancel_match - cancel a pending work added by task_work_add() +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1757,6 +1757,7 @@ void zap_page_range(struct vm_area_struc + mmu_notifier_invalidate_range_end(&range); + tlb_finish_mmu(&tlb); + } ++EXPORT_SYMBOL_GPL(zap_page_range); + + /** + * zap_page_range_single - remove user pages in a given range +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -4245,6 +4245,7 @@ int shmem_zero_setup(struct vm_area_stru + + return 0; + } ++EXPORT_SYMBOL_GPL(shmem_zero_setup); + + /** + * shmem_read_mapping_page_gfp - read into page cache, using specified page allocation flags. +--- a/security/security.c ++++ b/security/security.c +@@ -752,24 +752,28 @@ int security_binder_set_context_mgr(cons + { + return call_int_hook(binder_set_context_mgr, 0, mgr); + } ++EXPORT_SYMBOL_GPL(security_binder_set_context_mgr); + + int security_binder_transaction(const struct cred *from, + const struct cred *to) + { + return call_int_hook(binder_transaction, 0, from, to); + } ++EXPORT_SYMBOL_GPL(security_binder_transaction); + + int security_binder_transfer_binder(const struct cred *from, + const struct cred *to) + { + return call_int_hook(binder_transfer_binder, 0, from, to); + } ++EXPORT_SYMBOL_GPL(security_binder_transfer_binder); + + int security_binder_transfer_file(const struct cred *from, + const struct cred *to, struct file *file) + { + return call_int_hook(binder_transfer_file, 0, from, to, file); + } ++EXPORT_SYMBOL_GPL(security_binder_transfer_file); + + int security_ptrace_access_check(struct task_struct *child, unsigned int mode) + { diff --git a/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch b/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch new file mode 100644 index 000000000..88a2b15b3 --- /dev/null +++ b/debian/patches/debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch @@ -0,0 +1,29 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: fanotify: Taint on use of FANOTIFY_ACCESS_PERMISSIONS +Date: Wed, 13 Jul 2016 01:37:22 +0100 +Forwarded: not-needed + +Various free and proprietary AV products use this feature and users +apparently want it. But punting access checks to userland seems like +an easy way to deadlock the system, and there will be nothing we can +do about that. So warn and taint the kernel if this feature is +actually used. + +--- +--- a/fs/notify/fanotify/fanotify_user.c ++++ b/fs/notify/fanotify/fanotify_user.c +@@ -1661,6 +1661,14 @@ static int do_fanotify_mark(int fanotify + umask = FANOTIFY_EVENT_FLAGS; + } + ++#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS ++ if (mask & FANOTIFY_PERM_EVENTS) { ++ pr_warn_once("%s (%d): Using fanotify permission checks may lead to deadlock; tainting kernel\n", ++ current->comm, current->pid); ++ add_taint(TAINT_AUX, LOCKDEP_STILL_OK); ++ } ++#endif ++ + f = fdget(fanotify_fd); + if (unlikely(!f.file)) + return -EBADF; diff --git a/debian/patches/debian/firmware_class-refer-to-debian-wiki-firmware-page.patch b/debian/patches/debian/firmware_class-refer-to-debian-wiki-firmware-page.patch new file mode 100644 index 000000000..27bc69903 --- /dev/null +++ b/debian/patches/debian/firmware_class-refer-to-debian-wiki-firmware-page.patch @@ -0,0 +1,52 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Mon, 12 Mar 2018 01:14:03 +0000 +Subject: firmware_class: Refer to Debian wiki page when logging missing firmware +Bug-Debian: https://bugs.debian.org/888405 +Forwarded: not-needed + +If firmware loading fails due to a missing file, log a second error +message referring to our wiki page about firmware. This will explain +why some firmware is in non-free, or can't be packaged at all. Only +do this once per boot. + +Do something similar in the radeon and amdgpu drivers, where we have +an early check to avoid failing at a point where we cannot display +anything. + +--- +--- a/drivers/base/firmware_loader/main.c ++++ b/drivers/base/firmware_loader/main.c +@@ -334,9 +334,12 @@ fw_get_filesystem_firmware(struct device + } + __putname(path); + +- if (rc) ++ if (rc) { + dev_err(device, "firmware: failed to load %s (%d)\n", + fw_priv->fw_name, rc); ++ if (rc == -ENOENT) ++ pr_err_once("See https://wiki.debian.org/Firmware for information about missing firmware\n"); ++ } + + return rc; + } +--- a/drivers/gpu/drm/radeon/radeon_drv.c ++++ b/drivers/gpu/drm/radeon/radeon_drv.c +@@ -367,6 +367,7 @@ static int radeon_pci_probe(struct pci_d + if ((ent->driver_data & RADEON_FAMILY_MASK) >= CHIP_R600 && + !radeon_firmware_installed()) { + DRM_ERROR("radeon kernel modesetting for R600 or later requires firmware installed\n"); ++ pr_err_once("See https://wiki.debian.org/Firmware for information about missing firmware\n"); + return -ENODEV; + } + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -626,6 +626,7 @@ static int amdgpu_pci_probe(struct pci_d + + if (!amdgpu_firmware_installed()) { + DRM_ERROR("amdgpu requires firmware installed\n"); ++ pr_err_once("See https://wiki.debian.org/Firmware for information about missing firmware\n"); + return -ENODEV; + } + diff --git a/debian/patches/debian/fjes-disable-autoload.patch b/debian/patches/debian/fjes-disable-autoload.patch new file mode 100644 index 000000000..873c6906e --- /dev/null +++ b/debian/patches/debian/fjes-disable-autoload.patch @@ -0,0 +1,26 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Sat, 18 Mar 2017 20:47:58 +0000 +Subject: fjes: Disable auto-loading +Bug-Debian: https://bugs.debian.org/853976 +Forwarded: no + +fjes matches a generic ACPI device ID, and relies on its probe +function to distinguish whether that really corresponds to a supported +device. Very few system will need the driver and it wastes memory on +all the other systems where the same device ID appears, so disable +auto-loading. + +--- +Index: linux/drivers/net/fjes/fjes_main.c +=================================================================== +--- linux.orig/drivers/net/fjes/fjes_main.c ++++ linux/drivers/net/fjes/fjes_main.c +@@ -36,7 +36,7 @@ static const struct acpi_device_id fjes_ + {ACPI_MOTHERBOARD_RESOURCE_HID, 0}, + {"", 0}, + }; +-MODULE_DEVICE_TABLE(acpi, fjes_acpi_ids); ++/* MODULE_DEVICE_TABLE(acpi, fjes_acpi_ids); */ + + static bool is_extended_socket_device(struct acpi_device *device) + { diff --git a/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch b/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch new file mode 100644 index 000000000..eab0e78ee --- /dev/null +++ b/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch @@ -0,0 +1,22 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: fs: Enable link security restrictions by default +Date: Fri, 02 Nov 2012 05:32:06 +0000 +Bug-Debian: https://bugs.debian.org/609455 +Forwarded: not-needed + +This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415 +('VFS: don't do protected {sym,hard}links by default'). + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -1020,8 +1020,8 @@ static inline void put_link(struct namei + path_put(&last->link); + } + +-static int sysctl_protected_symlinks __read_mostly; +-static int sysctl_protected_hardlinks __read_mostly; ++static int sysctl_protected_symlinks __read_mostly = 1; ++static int sysctl_protected_hardlinks __read_mostly = 1; + static int sysctl_protected_fifos __read_mostly; + static int sysctl_protected_regular __read_mostly; + diff --git a/debian/patches/debian/gitignore.patch b/debian/patches/debian/gitignore.patch new file mode 100644 index 000000000..f98a51426 --- /dev/null +++ b/debian/patches/debian/gitignore.patch @@ -0,0 +1,52 @@ +From: Ian Campbell <ijc@hellion.org.uk> +Date: Thu, 17 Jan 2013 08:55:21 +0000 +Subject: Tweak gitignore for Debian pkg-kernel using git svn. +Forwarded: not-needed + +[bwh: Tweak further for pure git] + +Index: linux/.gitignore +=================================================================== +--- linux.orig/.gitignore ++++ linux/.gitignore +@@ -76,11 +76,6 @@ modules.order + /*.spec + + # +-# Debian directory (make deb-pkg) +-# +-/debian/ +- +-# + # Snap directory (make snap-pkg) + # + /snap/ +@@ -91,17 +86,6 @@ modules.order + /tar-install/ + + # +-# We don't want to ignore the following even if they are dot-files +-# +-!.clang-format +-!.cocciconfig +-!.get_maintainer.ignore +-!.gitattributes +-!.gitignore +-!.mailmap +-!.rustfmt.toml +- +-# + # Generated include files + # + /include/config/ +@@ -168,3 +152,10 @@ sphinx_*/ + + # Rust analyzer configuration + /rust-project.json ++ ++# ++# Debian packaging: ignore everything at the top level, since it isn't ++# included in our repository ++# ++/* ++!/debian/ diff --git a/debian/patches/debian/hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch b/debian/patches/debian/hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch new file mode 100644 index 000000000..b532d0054 --- /dev/null +++ b/debian/patches/debian/hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch @@ -0,0 +1,48 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Mon, 05 Aug 2019 00:29:11 +0100 +Subject: hamradio: Disable auto-loading as mitigation against local exploits +Forwarded: not-needed + +We can mitigate the effect of vulnerabilities in obscure protocols by +preventing unprivileged users from loading the modules, so that they +are only exploitable on systems where the administrator has chosen to +load the protocol. + +The 'ham' radio protocols (ax25, netrom, rose) are not actively +maintained or widely used. Therefore disable auto-loading. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -1986,7 +1986,7 @@ module_init(ax25_init); + MODULE_AUTHOR("Jonathan Naylor G4KLX <g4klx@g4klx.demon.co.uk>"); + MODULE_DESCRIPTION("The amateur radio AX.25 link layer protocol"); + MODULE_LICENSE("GPL"); +-MODULE_ALIAS_NETPROTO(PF_AX25); ++/* MODULE_ALIAS_NETPROTO(PF_AX25); */ + + static void __exit ax25_exit(void) + { +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -1486,7 +1486,7 @@ MODULE_PARM_DESC(nr_ndevs, "number of NE + MODULE_AUTHOR("Jonathan Naylor G4KLX <g4klx@g4klx.demon.co.uk>"); + MODULE_DESCRIPTION("The amateur radio NET/ROM network and transport layer protocol"); + MODULE_LICENSE("GPL"); +-MODULE_ALIAS_NETPROTO(PF_NETROM); ++/* MODULE_ALIAS_NETPROTO(PF_NETROM); */ + + static void __exit nr_exit(void) + { +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -1577,7 +1577,7 @@ MODULE_PARM_DESC(rose_ndevs, "number of + MODULE_AUTHOR("Jonathan Naylor G4KLX <g4klx@g4klx.demon.co.uk>"); + MODULE_DESCRIPTION("The amateur radio ROSE network layer protocol"); + MODULE_LICENSE("GPL"); +-MODULE_ALIAS_NETPROTO(PF_ROSE); ++/* MODULE_ALIAS_NETPROTO(PF_ROSE); */ + + static void __exit rose_exit(void) + { diff --git a/debian/patches/debian/i386-686-pae-pci-set-pci-nobios-by-default.patch b/debian/patches/debian/i386-686-pae-pci-set-pci-nobios-by-default.patch new file mode 100644 index 000000000..1b216d0d1 --- /dev/null +++ b/debian/patches/debian/i386-686-pae-pci-set-pci-nobios-by-default.patch @@ -0,0 +1,27 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Tue, 16 Feb 2016 02:45:42 +0000 +Subject: [i386/686-pae] PCI: Set pci=nobios by default +Forwarded: not-needed + +CONFIG_PCI_GOBIOS results in physical addresses 640KB-1MB being mapped +W+X, which is undesirable for security reasons and will result in a +warning at boot now that we enable CONFIG_DEBUG_WX. + +This can be overridden using the kernel parameter "pci=nobios", but we +want to disable W+X by default. Disable PCI BIOS probing by default; +it can still be enabled using "pci=bios". + +--- +--- a/arch/x86/pci/common.c ++++ b/arch/x86/pci/common.c +@@ -21,8 +21,8 @@ + #include <asm/setup.h> + #include <asm/irqdomain.h> + +-unsigned int pci_probe = PCI_PROBE_BIOS | PCI_PROBE_CONF1 | PCI_PROBE_CONF2 | +- PCI_PROBE_MMCONF; ++unsigned int pci_probe = PCI_PROBE_CONF1 | PCI_PROBE_CONF2 | PCI_PROBE_MMCONF | ++ (IS_ENABLED(CONFIG_X86_64) || IS_ENABLED(CONFIG_X86_PAE) ? 0 : PCI_PROBE_BIOS); + + static int pci_bf_sort; + int pci_routeirq; diff --git a/debian/patches/debian/ia64-hardcode-arch-script-output.patch b/debian/patches/debian/ia64-hardcode-arch-script-output.patch new file mode 100644 index 000000000..56fdc4cb4 --- /dev/null +++ b/debian/patches/debian/ia64-hardcode-arch-script-output.patch @@ -0,0 +1,71 @@ +From: dann frazier <dannf@debian.org> +Subject: Hardcode arch script output +Date: Mon, 26 Mar 2007 16:30:51 -0600 +Bug-Debian: https://bugs.debian.org/392592 +Forwarded: not-needed + +Here's a patch that simply uses hardcoded definitions instead of +doing the dynamic tests that require architecture-specific scripts. + +I don't particularly like this approach because it restricts +portability and diverts from upstream. But, it is simpler, and this +really needs to be fixed somehow before etch (along with a rebuild of +linux-modules-extra-2.6), so I'm willing to live with it if my other +patch is deemed unacceptable. + +My primary concern is that, in the future, the output of these scripts +will change and we (or our successors) will either not notice or +forget to update the hardcoded values. + +Including the scripts in linux-kbuild will avoid this manual step +altogether, and allow for the possibility of other archs to provide +their own scripts in the future. +--- + arch/ia64/Makefile | 17 ++--------------- + 1 file changed, 2 insertions(+), 15 deletions(-) + +--- a/arch/ia64/Makefile ++++ b/arch/ia64/Makefile +@@ -26,16 +26,7 @@ cflags-y := -pipe $(EXTRA) -ffixed-r13 - + -falign-functions=32 -frename-registers -fno-optimize-sibling-calls + KBUILD_CFLAGS_KERNEL := -mconstant-gp + +-GAS_STATUS = $(shell $(srctree)/arch/ia64/scripts/check-gas "$(CC)" "$(OBJDUMP)") +-KBUILD_CPPFLAGS += $(shell $(srctree)/arch/ia64/scripts/toolchain-flags "$(CC)" "$(OBJDUMP)" "$(READELF)") +- +-ifeq ($(GAS_STATUS),buggy) +-$(error Sorry, you need a newer version of the assember, one that is built from \ +- a source-tree that post-dates 18-Dec-2002. You can find a pre-compiled \ +- static binary of such an assembler at: \ +- \ +- ftp://ftp.hpl.hp.com/pub/linux-ia64/gas-030124.tar.gz) +-endif ++KBUILD_CPPFLAGS += -DHAVE_WORKING_TEXT_ALIGN -DHAVE_MODEL_SMALL_ATTRIBUTE -DHAVE_SERIALIZE_DIRECTIVE + + quiet_cmd_gzip = GZIP $@ + cmd_gzip = cat $(real-prereqs) | $(KGZIP) -n -f -9 > $@ +@@ -52,7 +43,7 @@ drivers-y += arch/ia64/pci/ arch/ia64/ + + PHONY += compressed check + +-all: compressed unwcheck ++all: compressed + + compressed: vmlinux.gz + +@@ -64,9 +55,6 @@ vmlinux.gz: vmlinux.bin FORCE + vmlinux.bin: vmlinux FORCE + $(call if_changed,objcopy) + +-unwcheck: vmlinux +- -$(Q)READELF=$(READELF) $(PYTHON3) $(srctree)/arch/ia64/scripts/unwcheck.py $< +- + archheaders: + $(Q)$(MAKE) $(build)=arch/ia64/kernel/syscalls all + +@@ -78,5 +66,4 @@ install: vmlinux.gz + define archhelp + echo '* compressed - Build compressed kernel image' + echo ' install - Install compressed kernel image' +- echo '* unwcheck - Check vmlinux for invalid unwind info' + endef diff --git a/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch b/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch new file mode 100644 index 000000000..c8061436d --- /dev/null +++ b/debian/patches/debian/iwlwifi-do-not-request-unreleased-firmware.patch @@ -0,0 +1,26 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: iwlwifi: Do not request unreleased firmware for IWL6000 +Bug-Debian: https://bugs.debian.org/689416 +Forwarded: not-needed + +The iwlwifi driver currently supports firmware API versions 4-6 for +these devices. It will request the file for the latest supported +version and then fall back to earlier versions. However, the latest +version that has actually been released is 4, so we expect the +requests for versions 6 and then 5 to fail. + +The installer appears to report any failed request, and it is probably +not easy to detect that this particular failure is harmless. So stop +requesting the unreleased firmware. + +--- a/drivers/net/wireless/intel/iwlwifi/cfg/6000.c ++++ b/drivers/net/wireless/intel/iwlwifi/cfg/6000.c +@@ -31,7 +31,7 @@ + #include "dvm/commands.h" /* needed for BT for now */ + + /* Highest firmware API version supported */ +-#define IWL6000_UCODE_API_MAX 6 ++#define IWL6000_UCODE_API_MAX 4 /* v5-6 are supported but not released */ + #define IWL6050_UCODE_API_MAX 5 + #define IWL6000G2_UCODE_API_MAX 6 + #define IWL6035_UCODE_API_MAX 6 diff --git a/debian/patches/debian/kbuild-abort-build-if-subdirs-used.patch b/debian/patches/debian/kbuild-abort-build-if-subdirs-used.patch new file mode 100644 index 000000000..ec23040d8 --- /dev/null +++ b/debian/patches/debian/kbuild-abort-build-if-subdirs-used.patch @@ -0,0 +1,37 @@ +From: Ben Hutchings <benh@debian.org> +Date: Mon, 26 Apr 2021 18:27:16 +0200 +Subject: kbuild: Abort build if SUBDIRS used +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/987575 + +DKMS and module-assistant both build OOT modules as root. If they +build an old OOT module that still use SUBDIRS this causes Kbuild +to try building a full kernel, which obviously fails but not before +deleting files from the installed headers package. + +To avoid such mishaps, detect this situation and abort the build. + +The error message is based on that used in commit 0126be38d988 +"kbuild: announce removal of SUBDIRS if used". +--- +--- a/Makefile ++++ b/Makefile +@@ -218,6 +218,18 @@ ifeq ("$(origin M)", "command line") + KBUILD_EXTMOD := $(M) + endif + ++# Old syntax make ... SUBDIRS=$PWD should be rejected to avoid mishaps ++# (see Debian bugs #982334, #987575) ++ifndef KBUILD_EXTMOD ++ ifdef SUBDIRS ++ $(warning =============== ERROR ==============) ++ $(warning 'SUBDIRS' was removed in Linux 5.3) ++ $(warning Use 'M=' or 'KBUILD_EXTMOD=' instead) ++ $(warning ====================================) ++ $(error .) ++ endif ++endif ++ + $(if $(word 2, $(KBUILD_EXTMOD)), \ + $(error building multiple external modules is not supported)) + diff --git a/debian/patches/debian/kbuild-look-for-module.lds-under-arch-directory-too.patch b/debian/patches/debian/kbuild-look-for-module.lds-under-arch-directory-too.patch new file mode 100644 index 000000000..f9a22d892 --- /dev/null +++ b/debian/patches/debian/kbuild-look-for-module.lds-under-arch-directory-too.patch @@ -0,0 +1,52 @@ +From: Ben Hutchings <benh@debian.org> +Date: Thu, 10 Dec 2020 17:31:39 +0100 +Subject: kbuild: Look for module.lds under arch directory too +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/975571 + +The module.lds linker script is now built under the scripts directory, +where previously it was under arch/$(SRCARCH). + +However, we package the scripts directory as linux-kbuild, which is +meant to be able to do support native and cross-builds. That means it +shouldn't contain files for a specific target architecture without a +wrapper to select between them, and it doesn't appear that linker +scripts are powerful enough to implement such a wrapper. + +Building module.lds in a different location would require relatively +large changes. Moving it in the package build rules can work, but we +need to support custom kernel builds from the same source so we can't +assume it's moved. + +Therefore, we move module.lds under the arch build directory in +rules.real and change Makefile.modfinal to look for it in both places. + +--- +Index: linux/scripts/Makefile.modfinal +=================================================================== +--- linux.orig/scripts/Makefile.modfinal ++++ linux/scripts/Makefile.modfinal +@@ -29,12 +29,13 @@ quiet_cmd_cc_o_c = CC [M] $@ + $(call if_changed_dep,cc_o_c) + + ARCH_POSTLINK := $(wildcard $(srctree)/arch/$(SRCARCH)/Makefile.postlink) ++ARCH_MODULE_LDS := $(word 1,$(wildcard scripts/module.lds arch/$(SRCARCH)/module.lds)) + + quiet_cmd_ld_ko_o = LD [M] $@ + cmd_ld_ko_o += \ + $(LD) -r $(KBUILD_LDFLAGS) \ + $(KBUILD_LDFLAGS_MODULE) $(LDFLAGS_MODULE) \ +- -T scripts/module.lds -o $@ $(filter %.o, $^); \ ++ -T $(ARCH_MODULE_LDS) -o $@ $(filter %.o, $^); \ + $(if $(ARCH_POSTLINK), $(MAKE) -f $(ARCH_POSTLINK) $@, true) + + quiet_cmd_btf_ko = BTF [M] $@ +@@ -57,7 +58,7 @@ if_changed_except = $(if $(call newer_pr + printf '%s\n' 'cmd_$@ := $(make-cmd)' > $(dot-target).cmd, @:) + + # Re-generate module BTFs if either module's .ko or vmlinux changed +-$(modules): %.ko: %.o %.mod.o scripts/module.lds $(and $(CONFIG_DEBUG_INFO_BTF_MODULES),$(KBUILD_BUILTIN),vmlinux) FORCE ++$(modules): %.ko: %.o %.mod.o $(ARCH_MODULE_LDS) $(and $(CONFIG_DEBUG_INFO_BTF_MODULES),$(KBUILD_BUILTIN),vmlinux) FORCE + +$(call if_changed_except,ld_ko_o,vmlinux) + ifdef CONFIG_DEBUG_INFO_BTF_MODULES + +$(if $(newer-prereqs),$(call cmd,btf_ko)) diff --git a/debian/patches/debian/kernelvariables.patch b/debian/patches/debian/kernelvariables.patch new file mode 100644 index 000000000..2196c8a43 --- /dev/null +++ b/debian/patches/debian/kernelvariables.patch @@ -0,0 +1,92 @@ +From: Bastian Blank <waldi@debian.org> +Subject: kbuild: Make the toolchain variables easily overwritable +Date: Sun, 22 Feb 2009 15:39:35 +0100 +Forwarded: not-needed + +Allow make variables to be overridden for each flavour by a file in +the build tree, .kernelvariables. + +We currently use this for ARCH, KERNELRELEASE, CC, and in some cases +also CROSS_COMPILE, KCFLAGS. + +This file can only be read after we establish the build tree, and all +use of $(ARCH) needs to be moved after this. + +[bwh: Updated for 5.3: include .kernelvariables from current directory + rather than using undefined $(obj).] +--- +--- a/Makefile ++++ b/Makefile +@@ -395,36 +395,6 @@ include $(srctree)/scripts/subarch.inclu + # Note: Some architectures assign CROSS_COMPILE in their arch/*/Makefile + ARCH ?= $(SUBARCH) + +-# Architecture as present in compile.h +-UTS_MACHINE := $(ARCH) +-SRCARCH := $(ARCH) +- +-# Additional ARCH settings for x86 +-ifeq ($(ARCH),i386) +- SRCARCH := x86 +-endif +-ifeq ($(ARCH),x86_64) +- SRCARCH := x86 +-endif +- +-# Additional ARCH settings for sparc +-ifeq ($(ARCH),sparc32) +- SRCARCH := sparc +-endif +-ifeq ($(ARCH),sparc64) +- SRCARCH := sparc +-endif +- +-# Additional ARCH settings for parisc +-ifeq ($(ARCH),parisc64) +- SRCARCH := parisc +-endif +- +-export cross_compiling := +-ifneq ($(SRCARCH),$(SUBARCH)) +-cross_compiling := 1 +-endif +- + KCONFIG_CONFIG ?= .config + export KCONFIG_CONFIG + +@@ -540,6 +510,35 @@ RUSTFLAGS_KERNEL = + AFLAGS_KERNEL = + LDFLAGS_vmlinux = + ++-include .kernelvariables ++ ++# Architecture as present in compile.h ++UTS_MACHINE := $(ARCH) ++SRCARCH := $(ARCH) ++ ++# Additional ARCH settings for x86 ++ifeq ($(ARCH),i386) ++ SRCARCH := x86 ++endif ++ifeq ($(ARCH),x86_64) ++ SRCARCH := x86 ++endif ++ ++# Additional ARCH settings for sparc ++ifeq ($(ARCH),sparc64) ++ SRCARCH := sparc ++endif ++ ++# Additional ARCH settings for parisc ++ifeq ($(ARCH),parisc64) ++ SRCARCH := parisc ++endif ++ ++# Additional ARCH settings for sh ++ifeq ($(ARCH),sh64) ++ SRCARCH := sh ++endif ++ + # Use USERINCLUDE when you must reference the UAPI directories only. + USERINCLUDE := \ + -I$(srctree)/arch/$(SRCARCH)/include/uapi \ diff --git a/debian/patches/debian/makefile-make-compiler-version-comparison-optional.patch b/debian/patches/debian/makefile-make-compiler-version-comparison-optional.patch new file mode 100644 index 000000000..f0d5c80d7 --- /dev/null +++ b/debian/patches/debian/makefile-make-compiler-version-comparison-optional.patch @@ -0,0 +1,31 @@ +From: Ben Hutchings <benh@debian.org> +Date: Thu, 15 Sep 2022 02:14:03 +0200 +Subject: Makefile: Make compiler version comparison optional +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/1019749 + +The top-level Makefile warns if the compiler version string changes at +all between the kernel build and an out-of-tree module build. + +We expect that major compiler version changes could introduce ABI +changes, and override the CC variable in out-of-tree module builds to +ensure that the same major compiler version is used. But minor +version changes should not make a difference, so this exact version +comparison produces false warnings. + +Since custom kernel packages don't have that, don't remove the version +comparison. Instead, skip it if $(DEBIAN_KERNEL_NO_CC_VERSION_CHECK) +is non-empty. + +--- +--- a/Makefile ++++ b/Makefile +@@ -1753,7 +1753,7 @@ PHONY += prepare + # now expand this into a simple variable to reduce the cost of shell evaluations + prepare: CC_VERSION_TEXT := $(CC_VERSION_TEXT) + prepare: +- @if [ "$(CC_VERSION_TEXT)" != "$(CONFIG_CC_VERSION_TEXT)" ]; then \ ++ @if [ -z "$(DEBIAN_KERNEL_NO_CC_VERSION_CHECK)" ] && [ "$(CC_VERSION_TEXT)" != "$(CONFIG_CC_VERSION_TEXT)" ]; then \ + echo >&2 "warning: the compiler differs from the one used to build the kernel"; \ + echo >&2 " The kernel was built by: $(CONFIG_CC_VERSION_TEXT)"; \ + echo >&2 " You are using: $(CC_VERSION_TEXT)"; \ diff --git a/debian/patches/debian/mips-boston-disable-its.patch b/debian/patches/debian/mips-boston-disable-its.patch new file mode 100644 index 000000000..ca4de2daa --- /dev/null +++ b/debian/patches/debian/mips-boston-disable-its.patch @@ -0,0 +1,22 @@ +From: YunQiang Su <syq@debian.org> +Date: Mon, 14 May 2018 16:16:18 +0800 +Subject: Disable uImage generation for mips generic +Forwarded: not-needed + +MIPS generic trys to generate uImage when build, which then ask for +u-boot-tools. + +[bwh: Updated for 5.17: + - zload-y is no longer assigned here and appears to default to empty + - Adjust context] + +--- a/arch/mips/generic/Platform ++++ b/arch/mips/generic/Platform +@@ -13,7 +13,6 @@ cflags-$(CONFIG_MACH_INGENIC_SOC) += -I$ + cflags-$(CONFIG_MIPS_GENERIC) += -I$(srctree)/arch/mips/include/asm/mach-generic + + load-$(CONFIG_MIPS_GENERIC) += 0xffffffff80100000 +-all-$(CONFIG_MIPS_GENERIC) += vmlinux.gz.itb + + its-y := vmlinux.its.S + its-$(CONFIG_FIT_IMAGE_FDT_BOSTON) += board-boston.its.S diff --git a/debian/patches/debian/mips-disable-werror.patch b/debian/patches/debian/mips-disable-werror.patch new file mode 100644 index 000000000..b8fe8b44c --- /dev/null +++ b/debian/patches/debian/mips-disable-werror.patch @@ -0,0 +1,23 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Mon, 13 Sep 2010 02:16:18 +0100 +Subject: [PATCH] Partially revert "MIPS: Add -Werror to arch/mips/Kbuild" +Forwarded: not-needed + +This reverts commits 66f9ba101f54bda63ab1db97f9e9e94763d0651b and +5373633cc9253ba82547473e899cab141c54133e. + +We really don't want to add -Werror anywhere. +--- +--- a/arch/mips/Kbuild ++++ b/arch/mips/Kbuild +@@ -1,10 +1,4 @@ + # SPDX-License-Identifier: GPL-2.0 +-# Fail on warnings - also for files referenced in subdirs +-# -Werror can be disabled for specific files using: +-# CFLAGS_<file.o> := -Wno-error +-ifeq ($(W),) +-subdir-ccflags-y := -Werror +-endif + + # platform specific definitions + include arch/mips/Kbuild.platforms diff --git a/debian/patches/debian/mips-ieee754-relaxed.patch b/debian/patches/debian/mips-ieee754-relaxed.patch new file mode 100644 index 000000000..20dff251c --- /dev/null +++ b/debian/patches/debian/mips-ieee754-relaxed.patch @@ -0,0 +1,32 @@ +From: YunQiang Su <syq@debian.org> +Date: Mon 16 Nov 2020 09:11:00 +0800 +Subject: Use RELAXED ieee754 mode for Loongson-3 as 3A 4000 is 2008-only +Forwarded: not-needed + +There are 2 mode of value of IEEE NaN hardcoded by CPU. +Currently, our mipsel/mips64el port is in so-called lagacy mode. +Loongson 3A 4000 is set as the so-called 2008 mode. + +To make Debian workable on Loongson 3A 4000, we need set the kerenl in +RELAXED mode. + +https://web.archive.org/web/20180830093617/https://dmz-portal.mips.com/wiki/MIPS_ABI_-_NaN_Interlinking + +diff --git a/arch/mips/kernel/fpu-probe.c b/arch/mips/kernel/fpu-probe.c +index e689d6a83..667226f94 100644 +--- a/arch/mips/kernel/fpu-probe.c ++++ b/arch/mips/kernel/fpu-probe.c +@@ -144,7 +144,12 @@ static void cpu_set_fpu_2008(struct cpuinfo_mips *c) + * IEEE 754 conformance mode to use. Affects the NaN encoding and the + * ABS.fmt/NEG.fmt execution mode. + */ +-static enum { STRICT, LEGACY, STD2008, RELAXED } ieee754 = STRICT; ++enum ieee754_mode { STRICT, LEGACY, STD2008, RELAXED }; ++#ifdef CONFIG_CPU_LOONGSON64 ++static enum ieee754_mode ieee754 = RELAXED; ++#else ++static enum ieee754_mode ieee754 = STRICT; ++#endif + + /* + * Set the IEEE 754 NaN encodings and the ABS.fmt/NEG.fmt execution modes diff --git a/debian/patches/debian/module-avoid-abi-changes-when-debug-info-is-disabled.patch b/debian/patches/debian/module-avoid-abi-changes-when-debug-info-is-disabled.patch new file mode 100644 index 000000000..3582f4ba3 --- /dev/null +++ b/debian/patches/debian/module-avoid-abi-changes-when-debug-info-is-disabled.patch @@ -0,0 +1,23 @@ +From: Ben Hutchings <benh@debian.org> +Date: Fri, 13 May 2022 21:08:08 +0200 +Subject: module: Avoid ABI changes when debug info is disabled +Forwarded: not-needed + +CI builds are done with debug info disabled, but this removes some +members from struct module. This causes builds to fail if there is an +ABI reference for the current ABI. + +Define these members unconditionally, so that there is no ABI change. + +--- +--- a/include/linux/module.h ++++ b/include/linux/module.h +@@ -471,7 +471,7 @@ struct module { + unsigned int num_bpf_raw_events; + struct bpf_raw_event_map *bpf_raw_events; + #endif +-#ifdef CONFIG_DEBUG_INFO_BTF_MODULES ++#if 1 + unsigned int btf_data_size; + void *btf_data; + #endif diff --git a/debian/patches/debian/ntfs-mark-it-as-broken.patch b/debian/patches/debian/ntfs-mark-it-as-broken.patch new file mode 100644 index 000000000..207f9751e --- /dev/null +++ b/debian/patches/debian/ntfs-mark-it-as-broken.patch @@ -0,0 +1,22 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Thu, 25 Apr 2019 15:31:33 +0100 +Subject: ntfs: mark it as broken + +NTFS has unfixed issues CVE-2018-12929, CVE-2018-12930, and +CVE-2018-12931. ntfs-3g is a better supported alternative. + +Make sure it can't be enabled even in custom kernels. + +--- +Index: debian-kernel/fs/ntfs/Kconfig +=================================================================== +--- debian-kernel.orig/fs/ntfs/Kconfig ++++ debian-kernel/fs/ntfs/Kconfig +@@ -1,6 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0-only + config NTFS_FS + tristate "NTFS file system support" ++ depends on BROKEN + select NLS + help + NTFS is the file system of Microsoft Windows NT, 2000, XP and 2003. diff --git a/debian/patches/debian/perf-traceevent-support-asciidoctor-for-documentatio.patch b/debian/patches/debian/perf-traceevent-support-asciidoctor-for-documentatio.patch new file mode 100644 index 000000000..89df33ab0 --- /dev/null +++ b/debian/patches/debian/perf-traceevent-support-asciidoctor-for-documentatio.patch @@ -0,0 +1,54 @@ +From cd02fc78859ef9aefd7c92406f9523622da0b472 Mon Sep 17 00:00:00 2001 +From: Bastian Blank <waldi@debian.org> +Date: Tue, 4 Aug 2020 09:44:37 +0000 +Subject: [PATCH 2/2] perf/traceevent: Support asciidoctor for documentation +Forwarded: not-needed + +--- + tools/lib/perf/Documentation/Makefile | 2 +- + tools/lib/traceevent/Documentation/Makefile | 2 +- + tools/perf/Documentation/Makefile | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/lib/perf/Documentation/Makefile b/tools/lib/perf/Documentation/Makefile +index 972754082a85..272d06173a3e 100644 +--- a/tools/lib/perf/Documentation/Makefile ++++ b/tools/lib/perf/Documentation/Makefile +@@ -35,7 +35,7 @@ htmldir = $(docdir)/html + exdir = $(docdir)/examples + + ASCIIDOC = asciidoc +-ASCIIDOC_EXTRA = --unsafe -f asciidoc.conf ++ASCIIDOC_EXTRA = + ASCIIDOC_HTML = xhtml11 + MANPAGE_XSL = manpage-normal.xsl + XMLTO_EXTRA = +diff --git a/tools/lib/traceevent/Documentation/Makefile b/tools/lib/traceevent/Documentation/Makefile +index aa72ab96c3c1..f3a4ff3b8b0e 100644 +--- a/tools/lib/traceevent/Documentation/Makefile ++++ b/tools/lib/traceevent/Documentation/Makefile +@@ -28,7 +28,7 @@ mandir?=$(prefix)/share/man + man3dir=$(mandir)/man3 + + ASCIIDOC=asciidoc +-ASCIIDOC_EXTRA = --unsafe -f asciidoc.conf ++ASCIIDOC_EXTRA = + ASCIIDOC_HTML = xhtml11 + MANPAGE_XSL = manpage-normal.xsl + XMLTO_EXTRA = +diff --git a/tools/perf/Documentation/Makefile b/tools/perf/Documentation/Makefile +index 6e54979c2124..7bfa6ae971ab 100644 +--- a/tools/perf/Documentation/Makefile ++++ b/tools/perf/Documentation/Makefile +@@ -48,7 +48,7 @@ man5dir=$(mandir)/man5 + man7dir=$(mandir)/man7 + + ASCIIDOC=asciidoc +-ASCIIDOC_EXTRA += --unsafe -f asciidoc.conf ++ASCIIDOC_EXTRA += + ASCIIDOC_HTML = xhtml11 + MANPAGE_XSL = manpage-normal.xsl + XMLTO_EXTRA = +-- +2.28.0 + diff --git a/debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch b/debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch new file mode 100644 index 000000000..3343aecac --- /dev/null +++ b/debian/patches/debian/rds-Disable-auto-loading-as-mitigation-against-local.patch @@ -0,0 +1,34 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Fri, 19 Nov 2010 02:12:48 +0000 +Subject: [PATCH 1/3] rds: Disable auto-loading as mitigation against local exploits +Forwarded: not-needed + +Recent review has revealed several bugs in obscure protocol +implementations that can be exploited by local users for denial of +service or privilege escalation. We can mitigate the effect of any +remaining vulnerabilities in such protocols by preventing unprivileged +users from loading the modules, so that they are only exploitable on +systems where the administrator has chosen to load the protocol. + +The 'rds' protocol is one such protocol that has been found to be +vulnerable, and which was not present in the 'lenny' kernel. +Therefore disable auto-loading. + +Signed-off-by: Ben Hutchings <ben@decadent.org.uk> +--- + net/rds/af_rds.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c +index 98e0538..d8d4525 100644 +--- a/net/rds/af_rds.c ++++ b/net/rds/af_rds.c +@@ -574,4 +574,4 @@ MODULE_DESCRIPTION("RDS: Reliable Datagram Sockets" + " v" DRV_VERSION " (" DRV_RELDATE ")"); + MODULE_VERSION(DRV_VERSION); + MODULE_LICENSE("Dual BSD/GPL"); +-MODULE_ALIAS_NETPROTO(PF_RDS); ++/* MODULE_ALIAS_NETPROTO(PF_RDS); */ +-- +1.7.2.3 + diff --git a/debian/patches/debian/sched-autogroup-disabled.patch b/debian/patches/debian/sched-autogroup-disabled.patch new file mode 100644 index 000000000..c616fa46e --- /dev/null +++ b/debian/patches/debian/sched-autogroup-disabled.patch @@ -0,0 +1,19 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: sched: Do not enable autogrouping by default +Date: Wed, 16 Mar 2011 03:17:06 +0000 +Forwarded: not-needed + +We want to provide the option of autogrouping but without enabling +it by default yet. + +--- a/kernel/sched/autogroup.c ++++ b/kernel/sched/autogroup.c +@@ -4,7 +4,7 @@ + * Auto-group scheduling implementation: + */ + +-unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1; ++unsigned int __read_mostly sysctl_sched_autogroup_enabled = 0; + static struct autogroup autogroup_default; + static atomic_t autogroup_seq_nr; + diff --git a/debian/patches/debian/snd-pcsp-disable-autoload.patch b/debian/patches/debian/snd-pcsp-disable-autoload.patch new file mode 100644 index 000000000..e593f5144 --- /dev/null +++ b/debian/patches/debian/snd-pcsp-disable-autoload.patch @@ -0,0 +1,30 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Wed, 05 Feb 2014 23:01:30 +0000 +Subject: snd-pcsp: Disable autoload +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/697709 + +There are two drivers claiming the platform:pcspkr device: +- pcspkr creates an input(!) device that can only beep +- snd-pcsp creates an equivalent input device plus a PCM device that can + play barely recognisable renditions of sampled sound + +snd-pcsp is blacklisted by the alsa-base package, but not everyone +installs that. On PCs where no sound is wanted at all, both drivers +will still be loaded and one or other will complain that it couldn't +claim the relevant I/O range. + +In case anyone finds snd-pcsp useful, we continue to build it. But +remove the alias, to ensure it's not loaded where it's not wanted. + +--- a/sound/drivers/pcsp/pcsp.c ++++ b/sound/drivers/pcsp/pcsp.c +@@ -22,7 +22,7 @@ + MODULE_AUTHOR("Stas Sergeev <stsp@users.sourceforge.net>"); + MODULE_DESCRIPTION("PC-Speaker driver"); + MODULE_LICENSE("GPL"); +-MODULE_ALIAS("platform:pcspkr"); ++/*MODULE_ALIAS("platform:pcspkr");*/ + + static int index = SNDRV_DEFAULT_IDX1; /* Index 0-MAX */ + static char *id = SNDRV_DEFAULT_STR1; /* ID for this card */ diff --git a/debian/patches/debian/tools-perf-install-python-bindings.patch b/debian/patches/debian/tools-perf-install-python-bindings.patch new file mode 100644 index 000000000..c3f174741 --- /dev/null +++ b/debian/patches/debian/tools-perf-install-python-bindings.patch @@ -0,0 +1,26 @@ +From: Adriaan Schmidt <adriaan.schmidt@siemens.com> +Date: Mon, 4 Apr 2022 13:38:33 +0200 +Subject: tools: install perf python bindings +Bug-Debian: http://bugs.debian.org/860957 +Forwarded: not-needed + +--- + tools/perf/Makefile.perf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/Makefile.perf b/tools/perf/Makefile.perf +index 80522bcfafe0..b011c7aae742 100644 +--- a/tools/perf/Makefile.perf ++++ b/tools/perf/Makefile.perf +@@ -1026,7 +1026,7 @@ install-bin: install-tools install-tests install-traceevent-plugins + install: install-bin try-install-man + + install-python_ext: +- $(PYTHON_WORD) util/setup.py --quiet install --root='/$(DESTDIR_SQ)' ++ $(PYTHON_WORD) util/setup.py --quiet install --root='/$(DESTDIR_SQ)' --install-layout=deb + + # 'make install-doc' should call 'make -C Documentation install' + $(INSTALL_DOC_TARGETS): +-- +2.30.2 + diff --git a/debian/patches/debian/tools-perf-perf-read-vdso-in-libexec.patch b/debian/patches/debian/tools-perf-perf-read-vdso-in-libexec.patch new file mode 100644 index 000000000..eacd9ce17 --- /dev/null +++ b/debian/patches/debian/tools-perf-perf-read-vdso-in-libexec.patch @@ -0,0 +1,32 @@ +From: Ben Hutchings <benh@debian.org> +Date: Mon, 11 May 2015 02:51:07 +0000 +Subject: linux-tools: Install perf-read-vdso{,x}32 in directory under /usr/lib + +--- a/tools/perf/Makefile.perf ++++ b/tools/perf/Makefile.perf +@@ -947,21 +947,21 @@ install-tools: all install-gtk + $(LN) '$(DESTDIR_SQ)$(bindir_SQ)/perf' '$(DESTDIR_SQ)$(bindir_SQ)/trace'; \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(includedir_SQ)/perf'; \ + $(INSTALL) -m 644 include/perf/perf_dlfilter.h -t '$(DESTDIR_SQ)$(includedir_SQ)/perf' ++ $(call QUIET_INSTALL, libexec) \ ++ $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)' + ifndef NO_PERF_READ_VDSO32 + $(call QUIET_INSTALL, perf-read-vdso32) \ +- $(INSTALL) $(OUTPUT)perf-read-vdso32 '$(DESTDIR_SQ)$(bindir_SQ)'; ++ $(INSTALL) $(OUTPUT)perf-read-vdso32 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)'; + endif + ifndef NO_PERF_READ_VDSOX32 + $(call QUIET_INSTALL, perf-read-vdsox32) \ +- $(INSTALL) $(OUTPUT)perf-read-vdsox32 '$(DESTDIR_SQ)$(bindir_SQ)'; ++ $(INSTALL) $(OUTPUT)perf-read-vdsox32 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)'; + endif + ifndef NO_JVMTI + $(call QUIET_INSTALL, $(LIBJVMTI)) \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(libdir_SQ)'; \ + $(INSTALL) $(OUTPUT)$(LIBJVMTI) '$(DESTDIR_SQ)$(libdir_SQ)'; + endif +- $(call QUIET_INSTALL, libexec) \ +- $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perfexec_instdir_SQ)' + ifndef NO_LIBBPF + $(call QUIET_INSTALL, bpf-headers) \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$(perf_include_instdir_SQ)/bpf'; \ diff --git a/debian/patches/debian/uname-version-timestamp.patch b/debian/patches/debian/uname-version-timestamp.patch new file mode 100644 index 000000000..4be158e09 --- /dev/null +++ b/debian/patches/debian/uname-version-timestamp.patch @@ -0,0 +1,26 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: Make mkcompile_h accept an alternate timestamp string +Date: Tue, 12 May 2015 19:29:22 +0100 +Forwarded: not-needed + +We want to include the Debian version in the utsname::version string +instead of a full timestamp string. However, we still need to provide +a standard timestamp string for gen_initramfs_list.sh to make the +kernel image reproducible. + +Make mkcompile_h use $KBUILD_BUILD_VERSION_TIMESTAMP in preference to +$KBUILD_BUILD_TIMESTAMP. + +Index: linux/init/Makefile +=================================================================== +--- linux.orig/init/Makefile ++++ linux/init/Makefile +@@ -29,7 +29,7 @@ preempt-flag-$(CONFIG_PREEMPT_DYNAMIC) : + preempt-flag-$(CONFIG_PREEMPT_RT) := PREEMPT_RT + + build-version = $(or $(KBUILD_BUILD_VERSION), $(build-version-auto)) +-build-timestamp = $(or $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto)) ++build-timestamp = $(or $(KBUILD_BUILD_VERSION_TIMESTAMP), $(KBUILD_BUILD_TIMESTAMP), $(build-timestamp-auto)) + + # Maximum length of UTS_VERSION is 64 chars + filechk_uts_version = \ diff --git a/debian/patches/debian/version.patch b/debian/patches/debian/version.patch new file mode 100644 index 000000000..1425f555a --- /dev/null +++ b/debian/patches/debian/version.patch @@ -0,0 +1,186 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: Include package version along with kernel release in stack traces +Date: Tue, 24 Jul 2012 03:13:10 +0100 +Forwarded: not-needed + +For distribution binary packages we assume +$DISTRIBUTION_OFFICIAL_BUILD, $DISTRIBUTOR and $DISTRIBUTION_VERSION +are set. +--- + Makefile | 15 ++++++++++++++- + arch/ia64/kernel/process.c | 5 +++-- + arch/powerpc/kernel/process.c | 6 ++++-- + arch/x86/um/sysrq_64.c | 6 ++++-- + kernel/hung_task.c | 6 ++++-- + lib/dump_stack.c | 6 ++++-- + 6 files changed, 33 insertions(+), 11 deletions(-) + +Index: linux/Makefile +=================================================================== +--- linux.orig/Makefile ++++ linux/Makefile +@@ -1263,7 +1263,8 @@ PHONY += prepare archprepare + + archprepare: outputmakefile archheaders archscripts scripts include/config/kernel.release \ + asm-generic $(version_h) $(autoksyms_h) include/generated/utsrelease.h \ +- include/generated/compile.h include/generated/autoconf.h remove-stale-files ++ include/generated/compile.h include/generated/autoconf.h \ ++ include/generated/package.h remove-stale-files + + prepare0: archprepare + $(Q)$(MAKE) $(build)=scripts/mod +@@ -1321,6 +1322,16 @@ define filechk_version.h + echo \#define LINUX_VERSION_SUBLEVEL $(SUBLEVEL) + endef + ++ifneq ($(DISTRIBUTION_OFFICIAL_BUILD),) ++define filechk_package.h ++ echo \#define LINUX_PACKAGE_ID \" $(DISTRIBUTOR) $(DISTRIBUTION_VERSION)\" ++endef ++else ++define filechk_package.h ++ echo \#define LINUX_PACKAGE_ID \"\" ++endef ++endif ++ + $(version_h): PATCHLEVEL := $(or $(PATCHLEVEL), 0) + $(version_h): SUBLEVEL := $(or $(SUBLEVEL), 0) + $(version_h): FORCE +@@ -1335,6 +1346,9 @@ filechk_compile.h = $(srctree)/scripts/m + include/generated/compile.h: FORCE + $(call filechk,compile.h) + ++include/generated/package.h: $(srctree)/Makefile FORCE ++ $(call filechk,package.h) ++ + PHONY += headerdep + headerdep: + $(Q)find $(srctree)/include/ -name '*.h' | xargs --max-args 1 \ +Index: linux/arch/ia64/kernel/process.c +=================================================================== +--- linux.orig/arch/ia64/kernel/process.c ++++ linux/arch/ia64/kernel/process.c +@@ -35,6 +35,7 @@ + #include <linux/utsname.h> + #include <linux/resume_user_mode.h> + #include <linux/rcupdate.h> ++#include <generated/package.h> + + #include <asm/cpu.h> + #include <asm/delay.h> +@@ -102,9 +103,9 @@ show_regs (struct pt_regs *regs) + print_modules(); + printk("\n"); + show_regs_print_info(KERN_DEFAULT); +- printk("psr : %016lx ifs : %016lx ip : [<%016lx>] %s (%s)\n", ++ printk("psr : %016lx ifs : %016lx ip : [<%016lx>] %s (%s%s)\n", + regs->cr_ipsr, regs->cr_ifs, ip, print_tainted(), +- init_utsname()->release); ++ init_utsname()->release, LINUX_PACKAGE_ID); + printk("ip is at %pS\n", (void *)ip); + printk("unat: %016lx pfs : %016lx rsc : %016lx\n", + regs->ar_unat, regs->ar_pfs, regs->ar_rsc); +Index: linux/arch/powerpc/kernel/process.c +=================================================================== +--- linux.orig/arch/powerpc/kernel/process.c ++++ linux/arch/powerpc/kernel/process.c +@@ -38,6 +38,7 @@ + #include <linux/uaccess.h> + #include <linux/pkeys.h> + #include <linux/seq_buf.h> ++#include <generated/package.h> + + #include <asm/interrupt.h> + #include <asm/io.h> +@@ -1520,8 +1521,9 @@ static void __show_regs(struct pt_regs * + + printk("NIP: "REG" LR: "REG" CTR: "REG"\n", + regs->nip, regs->link, regs->ctr); +- printk("REGS: %px TRAP: %04lx %s (%s)\n", +- regs, regs->trap, print_tainted(), init_utsname()->release); ++ printk("REGS: %px TRAP: %04lx %s (%s%s)\n", ++ regs, regs->trap, print_tainted(), init_utsname()->release, ++ LINUX_PACKAGE_ID); + printk("MSR: "REG" ", regs->msr); + print_msr_bits(regs->msr); + pr_cont(" CR: %08lx XER: %08lx\n", regs->ccr, regs->xer); +Index: linux/arch/x86/um/sysrq_64.c +=================================================================== +--- linux.orig/arch/x86/um/sysrq_64.c ++++ linux/arch/x86/um/sysrq_64.c +@@ -9,6 +9,7 @@ + #include <linux/sched.h> + #include <linux/sched/debug.h> + #include <linux/utsname.h> ++#include <generated/package.h> + #include <asm/current.h> + #include <asm/ptrace.h> + #include <asm/sysrq.h> +@@ -17,8 +18,9 @@ void show_regs(struct pt_regs *regs) + { + printk("\n"); + print_modules(); +- printk(KERN_INFO "Pid: %d, comm: %.20s %s %s\n", task_pid_nr(current), +- current->comm, print_tainted(), init_utsname()->release); ++ printk(KERN_INFO "Pid: %d, comm: %.20s %s %s%s\n", task_pid_nr(current), ++ current->comm, print_tainted(), init_utsname()->release, ++ LINUX_PACKAGE_ID); + printk(KERN_INFO "RIP: %04lx:%pS\n", PT_REGS_CS(regs) & 0xffff, + (void *)PT_REGS_IP(regs)); + printk(KERN_INFO "RSP: %016lx EFLAGS: %08lx\n", PT_REGS_SP(regs), +Index: linux/kernel/hung_task.c +=================================================================== +--- linux.orig/kernel/hung_task.c ++++ linux/kernel/hung_task.c +@@ -24,6 +24,7 @@ + #include <linux/sched/sysctl.h> + + #include <trace/events/sched.h> ++#include <generated/package.h> + + /* + * The number of tasks checked: +@@ -131,10 +132,11 @@ static void check_hung_task(struct task_ + sysctl_hung_task_warnings--; + pr_err("INFO: task %s:%d blocked for more than %ld seconds.\n", + t->comm, t->pid, (jiffies - t->last_switch_time) / HZ); +- pr_err(" %s %s %.*s\n", ++ pr_err(" %s %s %.*s%s\n", + print_tainted(), init_utsname()->release, + (int)strcspn(init_utsname()->version, " "), +- init_utsname()->version); ++ init_utsname()->version, ++ LINUX_PACKAGE_ID); + pr_err("\"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\"" + " disables this message.\n"); + sched_show_task(t); +Index: linux/lib/dump_stack.c +=================================================================== +--- linux.orig/lib/dump_stack.c ++++ linux/lib/dump_stack.c +@@ -14,6 +14,7 @@ + #include <linux/kexec.h> + #include <linux/utsname.h> + #include <linux/stop_machine.h> ++#include <generated/package.h> + + static char dump_stack_arch_desc_str[128]; + +@@ -54,13 +55,15 @@ void __init dump_stack_set_arch_desc(con + */ + void dump_stack_print_info(const char *log_lvl) + { +- printk("%sCPU: %d PID: %d Comm: %.20s %s%s %s %.*s" BUILD_ID_FMT "\n", ++ printk("%sCPU: %d PID: %d Comm: %.20s %s%s %s %.*s %s" BUILD_ID_FMT "\n", + log_lvl, raw_smp_processor_id(), current->pid, current->comm, + kexec_crash_loaded() ? "Kdump: loaded " : "", + print_tainted(), + init_utsname()->release, + (int)strcspn(init_utsname()->version, " "), +- init_utsname()->version, BUILD_ID_VAL); ++ init_utsname()->version, ++ LINUX_PACKAGE_ID, ++ BUILD_ID_VAL); + + if (dump_stack_arch_desc_str[0] != '\0') + printk("%sHardware name: %s\n", diff --git a/debian/patches/debian/wireless-add-debian-wireless-regdb-certificates.patch b/debian/patches/debian/wireless-add-debian-wireless-regdb-certificates.patch new file mode 100644 index 000000000..edbf8657f --- /dev/null +++ b/debian/patches/debian/wireless-add-debian-wireless-regdb-certificates.patch @@ -0,0 +1,1452 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Date: Fri, 13 Apr 2018 20:10:28 +0100 +Subject: wireless: Add Debian wireless-regdb certificates +Forwarded: not-needed + +This hex dump is generated using: + +{ + for cert in debian/certs/wireless-regdb-*.pem; do + openssl x509 -in $cert -outform der; + done +} | hexdump -v -e '1/1 "0x%.2x," "\n"' > net/wireless/certs/debian.hex +--- + net/wireless/certs/debian.hex | 1426 +++++++++++++++++++++++++++++++++ + 1 file changed, 1426 insertions(+) + create mode 100644 net/wireless/certs/debian.hex + +diff --git a/net/wireless/certs/debian.hex b/net/wireless/certs/debian.hex +new file mode 100644 +index 000000000000..c5ab03f8c500 +--- /dev/null ++++ b/net/wireless/certs/debian.hex +@@ -0,0 +1,1426 @@ ++0x30, ++0x82, ++0x02, ++0xbd, ++0x30, ++0x82, ++0x01, ++0xa5, ++0x02, ++0x14, ++0x57, ++0x7e, ++0x02, ++0x1c, ++0xb9, ++0x80, ++0xe0, ++0xe8, ++0x20, ++0x82, ++0x1b, ++0xa7, ++0xb5, ++0x4b, ++0x49, ++0x61, ++0xb8, ++0xb4, ++0xfa, ++0xdf, ++0x30, ++0x0d, ++0x06, ++0x09, ++0x2a, ++0x86, ++0x48, ++0x86, ++0xf7, ++0x0d, ++0x01, ++0x01, ++0x0b, ++0x05, ++0x00, ++0x30, ++0x1a, ++0x31, ++0x18, ++0x30, ++0x16, ++0x06, ++0x03, ++0x55, ++0x04, ++0x03, ++0x0c, ++0x0f, ++0x62, ++0x65, ++0x6e, ++0x68, ++0x40, ++0x64, ++0x65, ++0x62, ++0x69, ++0x61, ++0x6e, ++0x2e, ++0x6f, ++0x72, ++0x67, ++0x30, ++0x20, ++0x17, ++0x0d, ++0x32, ++0x30, ++0x30, ++0x31, ++0x33, ++0x30, ++0x31, ++0x33, ++0x32, ++0x36, ++0x31, ++0x33, ++0x5a, ++0x18, ++0x0f, ++0x32, ++0x31, ++0x32, ++0x30, ++0x30, ++0x31, ++0x30, ++0x36, ++0x31, ++0x33, ++0x32, ++0x36, ++0x31, ++0x33, ++0x5a, ++0x30, ++0x1a, ++0x31, ++0x18, ++0x30, ++0x16, ++0x06, ++0x03, ++0x55, ++0x04, ++0x03, ++0x0c, ++0x0f, ++0x62, ++0x65, ++0x6e, ++0x68, ++0x40, ++0x64, ++0x65, ++0x62, ++0x69, ++0x61, ++0x6e, ++0x2e, ++0x6f, ++0x72, ++0x67, ++0x30, ++0x82, ++0x01, ++0x22, ++0x30, ++0x0d, ++0x06, ++0x09, ++0x2a, ++0x86, ++0x48, ++0x86, ++0xf7, ++0x0d, ++0x01, ++0x01, ++0x01, ++0x05, ++0x00, ++0x03, ++0x82, ++0x01, ++0x0f, ++0x00, ++0x30, ++0x82, ++0x01, ++0x0a, ++0x02, ++0x82, ++0x01, ++0x01, ++0x00, ++0x9d, ++0xe1, ++0x77, ++0xa0, ++0x24, ++0xa0, ++0xd5, ++0x79, ++0x65, ++0x3a, ++0x07, ++0x90, ++0xc9, ++0xf6, ++0xa5, ++0xa6, ++0x1f, ++0x84, ++0x1c, ++0x23, ++0x07, ++0x4b, ++0x4f, ++0xa5, ++0x03, ++0xc6, ++0x0f, ++0xf7, ++0x54, ++0xd5, ++0x8b, ++0x7e, ++0x79, ++0x81, ++0x00, ++0xd2, ++0xe9, ++0x3d, ++0xf4, ++0x97, ++0xfe, ++0x84, ++0xcd, ++0x55, ++0xbd, ++0xc9, ++0x8f, ++0x21, ++0x57, ++0x88, ++0x06, ++0x39, ++0x90, ++0x66, ++0x41, ++0x26, ++0x79, ++0x2c, ++0xca, ++0x3f, ++0x95, ++0x87, ++0x01, ++0x11, ++0x2f, ++0x2f, ++0xb0, ++0xe1, ++0x0b, ++0x43, ++0xfc, ++0x5f, ++0x2f, ++0x4f, ++0x67, ++0x04, ++0xdb, ++0x4d, ++0xb7, ++0x72, ++0x4d, ++0xd1, ++0xc5, ++0x76, ++0x73, ++0x4d, ++0x91, ++0x69, ++0xb0, ++0x71, ++0x17, ++0x36, ++0xea, ++0xab, ++0x0a, ++0x3a, ++0xcd, ++0x95, ++0x9b, ++0x76, ++0x1b, ++0x8e, ++0x21, ++0x17, ++0x8f, ++0xc5, ++0x02, ++0xbf, ++0x24, ++0xc7, ++0xc0, ++0x40, ++0xb1, ++0x3b, ++0xc4, ++0x80, ++0x7c, ++0x71, ++0xa5, ++0x51, ++0xdc, ++0xf7, ++0x3a, ++0x58, ++0x7f, ++0xb1, ++0x07, ++0x81, ++0x8a, ++0x10, ++0xd1, ++0xf6, ++0x93, ++0x17, ++0x71, ++0xe0, ++0xfa, ++0x51, ++0x79, ++0x15, ++0xd4, ++0xd7, ++0x8f, ++0xad, ++0xbd, ++0x6f, ++0x38, ++0xe1, ++0x26, ++0x7d, ++0xbc, ++0xf0, ++0x3e, ++0x80, ++0x89, ++0xb4, ++0xec, ++0x8e, ++0x69, ++0x90, ++0xdb, ++0x97, ++0x8a, ++0xf0, ++0x23, ++0x23, ++0x83, ++0x82, ++0x3b, ++0x6a, ++0xb1, ++0xac, ++0xeb, ++0xe7, ++0x99, ++0x74, ++0x2a, ++0x35, ++0x8e, ++0xa9, ++0x64, ++0xfd, ++0x46, ++0x9e, ++0xe8, ++0xe5, ++0x48, ++0x61, ++0x31, ++0x6e, ++0xe6, ++0xfc, ++0x19, ++0x18, ++0x54, ++0xc3, ++0x1b, ++0x4f, ++0xd6, ++0x00, ++0x44, ++0x87, ++0x1c, ++0x37, ++0x45, ++0xea, ++0xf5, ++0xc9, ++0xcb, ++0x0f, ++0x0c, ++0x55, ++0xec, ++0xcf, ++0x6a, ++0xc2, ++0x45, ++0x26, ++0x23, ++0xa2, ++0x31, ++0x52, ++0x4d, ++0xee, ++0x21, ++0x7d, ++0xfd, ++0x58, ++0x72, ++0xc2, ++0x28, ++0xc5, ++0x8e, ++0xa9, ++0xd0, ++0xee, ++0x01, ++0x77, ++0x08, ++0xa5, ++0xf0, ++0x22, ++0x2b, ++0x47, ++0x79, ++0x2b, ++0xcf, ++0x9a, ++0x46, ++0xb5, ++0x8f, ++0xfd, ++0x64, ++0xa2, ++0xb5, ++0xed, ++0x02, ++0x03, ++0x01, ++0x00, ++0x01, ++0x30, ++0x0d, ++0x06, ++0x09, ++0x2a, ++0x86, ++0x48, ++0x86, ++0xf7, ++0x0d, ++0x01, ++0x01, ++0x0b, ++0x05, ++0x00, ++0x03, ++0x82, ++0x01, ++0x01, ++0x00, ++0x20, ++0x44, ++0xfe, ++0xa9, ++0x9e, ++0xdd, ++0x9b, ++0xea, ++0xce, ++0x25, ++0x75, ++0x08, ++0xf0, ++0x2b, ++0x53, ++0xf7, ++0x5a, ++0x36, ++0x1c, ++0x4a, ++0x23, ++0x7f, ++0xd0, ++0x41, ++0x3c, ++0x12, ++0x2b, ++0xb9, ++0x80, ++0x4e, ++0x8a, ++0x15, ++0x5d, ++0x1f, ++0x40, ++0xa7, ++0x26, ++0x28, ++0x32, ++0xc3, ++0x5b, ++0x06, ++0x28, ++0x2d, ++0x3d, ++0x08, ++0x09, ++0x1e, ++0x01, ++0xe9, ++0x67, ++0xe3, ++0x33, ++0xe6, ++0x15, ++0x45, ++0x39, ++0xee, ++0x17, ++0x83, ++0xdb, ++0x42, ++0xff, ++0x7f, ++0x35, ++0xf4, ++0xac, ++0x16, ++0xdb, ++0xba, ++0xb8, ++0x1a, ++0x20, ++0x21, ++0x41, ++0xff, ++0xf3, ++0x92, ++0xff, ++0x65, ++0x6e, ++0x29, ++0x16, ++0xd0, ++0xbf, ++0x8d, ++0xdf, ++0x48, ++0x2c, ++0x73, ++0x36, ++0x7f, ++0x22, ++0xe6, ++0xee, ++0x78, ++0xb4, ++0x63, ++0x83, ++0x0e, ++0x39, ++0xeb, ++0xaf, ++0x10, ++0x2a, ++0x90, ++0xd3, ++0xfc, ++0xe6, ++0xc3, ++0x8f, ++0x97, ++0x5b, ++0x76, ++0xbf, ++0x9b, ++0xf5, ++0x98, ++0xd2, ++0x53, ++0x06, ++0x8b, ++0xf8, ++0xa4, ++0x04, ++0x9b, ++0x1b, ++0x62, ++0x6a, ++0x9d, ++0xac, ++0xe6, ++0x4b, ++0x0d, ++0xc9, ++0xd7, ++0x56, ++0x63, ++0x15, ++0x01, ++0x38, ++0x8c, ++0xbe, ++0xf1, ++0x44, ++0xc4, ++0x38, ++0x27, ++0xe0, ++0xcf, ++0x72, ++0xd6, ++0x3d, ++0xe4, ++0xf7, ++0x4b, ++0x3b, ++0xd2, ++0xb1, ++0x0c, ++0xd5, ++0x83, ++0x6d, ++0x1e, ++0x10, ++0x04, ++0x69, ++0x29, ++0x88, ++0x69, ++0xe0, ++0x7d, ++0xd7, ++0xdb, ++0xb4, ++0x59, ++0x72, ++0x8d, ++0x9d, ++0x3c, ++0x43, ++0xaf, ++0xc6, ++0x7d, ++0xb7, ++0x21, ++0x15, ++0x52, ++0x8a, ++0xe9, ++0x9b, ++0x6b, ++0x2e, ++0xe8, ++0x27, ++0x3c, ++0x3f, ++0x2d, ++0x84, ++0xfb, ++0x9a, ++0x22, ++0x0a, ++0x9f, ++0x6a, ++0x25, ++0xe6, ++0x39, ++0xe4, ++0x74, ++0x73, ++0xb6, ++0x2a, ++0x70, ++0xaa, ++0x1d, ++0xcb, ++0xcc, ++0xd4, ++0xa0, ++0x1b, ++0x26, ++0x71, ++0x63, ++0x04, ++0xc5, ++0x12, ++0x21, ++0x48, ++0xba, ++0x92, ++0x27, ++0x06, ++0xa8, ++0x3e, ++0x6d, ++0xa1, ++0x43, ++0xa5, ++0xd2, ++0x2a, ++0xf7, ++0xca, ++0xc4, ++0x26, ++0xe8, ++0x5b, ++0x1f, ++0xe4, ++0xdc, ++0x89, ++0xdc, ++0x1f, ++0x04, ++0x79, ++0x3f, ++0x30, ++0x82, ++0x02, ++0xcd, ++0x30, ++0x82, ++0x01, ++0xb5, ++0x02, ++0x14, ++0x3a, ++0xbb, ++0xc6, ++0xec, ++0x14, ++0x6e, ++0x09, ++0xd1, ++0xb6, ++0x01, ++0x6a, ++0xb9, ++0xd6, ++0xcf, ++0x71, ++0xdd, ++0x23, ++0x3f, ++0x03, ++0x28, ++0x30, ++0x0d, ++0x06, ++0x09, ++0x2a, ++0x86, ++0x48, ++0x86, ++0xf7, ++0x0d, ++0x01, ++0x01, ++0x0b, ++0x05, ++0x00, ++0x30, ++0x22, ++0x31, ++0x20, ++0x30, ++0x1e, ++0x06, ++0x03, ++0x55, ++0x04, ++0x03, ++0x0c, ++0x17, ++0x72, ++0x6f, ++0x6d, ++0x61, ++0x69, ++0x6e, ++0x2e, ++0x70, ++0x65, ++0x72, ++0x69, ++0x65, ++0x72, ++0x40, ++0x67, ++0x6d, ++0x61, ++0x69, ++0x6c, ++0x2e, ++0x63, ++0x6f, ++0x6d, ++0x30, ++0x20, ++0x17, ++0x0d, ++0x32, ++0x30, ++0x30, ++0x32, ++0x32, ++0x34, ++0x31, ++0x39, ++0x30, ++0x31, ++0x34, ++0x34, ++0x5a, ++0x18, ++0x0f, ++0x32, ++0x31, ++0x32, ++0x30, ++0x30, ++0x31, ++0x33, ++0x31, ++0x31, ++0x39, ++0x30, ++0x31, ++0x34, ++0x34, ++0x5a, ++0x30, ++0x22, ++0x31, ++0x20, ++0x30, ++0x1e, ++0x06, ++0x03, ++0x55, ++0x04, ++0x03, ++0x0c, ++0x17, ++0x72, ++0x6f, ++0x6d, ++0x61, ++0x69, ++0x6e, ++0x2e, ++0x70, ++0x65, ++0x72, ++0x69, ++0x65, ++0x72, ++0x40, ++0x67, ++0x6d, ++0x61, ++0x69, ++0x6c, ++0x2e, ++0x63, ++0x6f, ++0x6d, ++0x30, ++0x82, ++0x01, ++0x22, ++0x30, ++0x0d, ++0x06, ++0x09, ++0x2a, ++0x86, ++0x48, ++0x86, ++0xf7, ++0x0d, ++0x01, ++0x01, ++0x01, ++0x05, ++0x00, ++0x03, ++0x82, ++0x01, ++0x0f, ++0x00, ++0x30, ++0x82, ++0x01, ++0x0a, ++0x02, ++0x82, ++0x01, ++0x01, ++0x00, ++0xf0, ++0xb8, ++0x4f, ++0x3f, ++0x70, ++0x78, ++0xf8, ++0x74, ++0x45, ++0xa2, ++0x28, ++0xaf, ++0x04, ++0x75, ++0x04, ++0xa3, ++0xf3, ++0xa7, ++0xc7, ++0x04, ++0xac, ++0xb6, ++0xe1, ++0xfc, ++0xe1, ++0xc0, ++0x3d, ++0xe0, ++0x26, ++0x90, ++0x8a, ++0x45, ++0x60, ++0xc4, ++0x75, ++0xf3, ++0x1a, ++0x33, ++0x37, ++0x56, ++0x7d, ++0x30, ++0x07, ++0x75, ++0x0e, ++0xa6, ++0x79, ++0x06, ++0x95, ++0x9d, ++0x17, ++0x3c, ++0x09, ++0xa9, ++0x7f, ++0xab, ++0x95, ++0x5d, ++0xed, ++0xe0, ++0x75, ++0x26, ++0x2f, ++0x65, ++0x65, ++0xcd, ++0x61, ++0xb1, ++0x33, ++0x27, ++0x67, ++0x41, ++0xa1, ++0x01, ++0x13, ++0xe9, ++0x13, ++0x6a, ++0x6d, ++0x4e, ++0x98, ++0xe1, ++0x9e, ++0x7b, ++0x0b, ++0x5b, ++0x44, ++0xef, ++0x68, ++0x5a, ++0x6f, ++0x7d, ++0x97, ++0xa1, ++0x33, ++0x22, ++0x97, ++0x12, ++0x21, ++0x09, ++0x8f, ++0x90, ++0xe0, ++0x25, ++0x94, ++0xdd, ++0x8a, ++0x3a, ++0xf7, ++0x4a, ++0x60, ++0x04, ++0x26, ++0x6d, ++0x00, ++0x82, ++0xe4, ++0xcf, ++0x64, ++0x1c, ++0x79, ++0x15, ++0x24, ++0xf2, ++0x42, ++0x86, ++0xf5, ++0x10, ++0x86, ++0xac, ++0x20, ++0x88, ++0x90, ++0x87, ++0xdf, ++0x8c, ++0x37, ++0x7c, ++0xbf, ++0x35, ++0xd5, ++0x6f, ++0x9f, ++0x77, ++0xc3, ++0xcd, ++0x69, ++0x25, ++0x06, ++0xc2, ++0x65, ++0x51, ++0x71, ++0x89, ++0x7f, ++0x6e, ++0x4d, ++0xe5, ++0xd5, ++0x8a, ++0x36, ++0x1a, ++0xad, ++0xc1, ++0x18, ++0xd6, ++0x14, ++0x42, ++0x87, ++0xf0, ++0x93, ++0x83, ++0xf1, ++0x99, ++0x74, ++0xc4, ++0x13, ++0xaa, ++0x3b, ++0x66, ++0x85, ++0x6f, ++0xe0, ++0xbc, ++0x5f, ++0xb6, ++0x40, ++0xa6, ++0x41, ++0x06, ++0x0a, ++0xba, ++0x0e, ++0xe9, ++0x32, ++0x44, ++0x10, ++0x39, ++0x53, ++0xcd, ++0xbf, ++0xf3, ++0xd3, ++0x26, ++0xf6, ++0xb6, ++0x2b, ++0x40, ++0x2e, ++0xb9, ++0x88, ++0xc1, ++0xf4, ++0xe3, ++0xa0, ++0x28, ++0x77, ++0x4f, ++0xba, ++0xa8, ++0xca, ++0x9c, ++0x05, ++0xba, ++0x88, ++0x96, ++0x99, ++0x54, ++0x89, ++0xa2, ++0x8d, ++0xf3, ++0x73, ++0xa1, ++0x8c, ++0x4a, ++0xa8, ++0x71, ++0xee, ++0x2e, ++0xd2, ++0x83, ++0x14, ++0x48, ++0xbd, ++0x98, ++0xc6, ++0xce, ++0xdc, ++0xa8, ++0xa3, ++0x97, ++0x2e, ++0x40, ++0x16, ++0x2f, ++0x02, ++0x03, ++0x01, ++0x00, ++0x01, ++0x30, ++0x0d, ++0x06, ++0x09, ++0x2a, ++0x86, ++0x48, ++0x86, ++0xf7, ++0x0d, ++0x01, ++0x01, ++0x0b, ++0x05, ++0x00, ++0x03, ++0x82, ++0x01, ++0x01, ++0x00, ++0x76, ++0x5d, ++0x03, ++0x3d, ++0xb6, ++0x96, ++0x00, ++0x1b, ++0x6e, ++0x0c, ++0xdd, ++0xbb, ++0xc8, ++0xdf, ++0xbc, ++0xeb, ++0x6c, ++0x01, ++0x40, ++0x1a, ++0x2b, ++0x07, ++0x60, ++0xa1, ++0x1a, ++0xe1, ++0x43, ++0x57, ++0xfa, ++0xbe, ++0xde, ++0xbb, ++0x8f, ++0x73, ++0xf3, ++0x92, ++0xa2, ++0xaa, ++0x83, ++0x01, ++0xc1, ++0x17, ++0xe4, ++0x9d, ++0x09, ++0x41, ++0xe0, ++0x32, ++0x33, ++0x97, ++0x4b, ++0xf2, ++0xdc, ++0x0f, ++0x8b, ++0xa8, ++0xb8, ++0x5a, ++0x04, ++0x86, ++0xf6, ++0x71, ++0xa1, ++0x97, ++0xd0, ++0x54, ++0x56, ++0x10, ++0x8e, ++0x54, ++0x99, ++0x0d, ++0x2a, ++0xa9, ++0xaf, ++0x1b, ++0x55, ++0x59, ++0x06, ++0x2b, ++0xa4, ++0x5f, ++0xb1, ++0x54, ++0xa6, ++0xec, ++0xc7, ++0xd6, ++0x43, ++0xee, ++0x86, ++0x2c, ++0x9b, ++0x18, ++0x9d, ++0x8f, ++0x00, ++0x82, ++0xc1, ++0x88, ++0x61, ++0x16, ++0x85, ++0x3c, ++0x17, ++0x56, ++0xfe, ++0x6a, ++0xa0, ++0x7a, ++0x68, ++0xc5, ++0x7b, ++0x3d, ++0x3c, ++0xb6, ++0x13, ++0x18, ++0x99, ++0x6d, ++0x74, ++0x65, ++0x13, ++0x67, ++0xb7, ++0xfc, ++0x5a, ++0x44, ++0x48, ++0x72, ++0xa0, ++0x73, ++0xb8, ++0xff, ++0x02, ++0x9d, ++0x7c, ++0x5b, ++0xf9, ++0x7c, ++0x75, ++0x0a, ++0x3c, ++0x81, ++0x80, ++0x3c, ++0x41, ++0xf2, ++0xd5, ++0xfa, ++0x3d, ++0x1f, ++0xe3, ++0xda, ++0x8c, ++0xa5, ++0x17, ++0x1f, ++0x53, ++0x1a, ++0x75, ++0xad, ++0x4e, ++0x11, ++0x1c, ++0x07, ++0xec, ++0x0a, ++0x69, ++0xfd, ++0x33, ++0xfa, ++0x32, ++0x7e, ++0x66, ++0xf5, ++0x29, ++0xe8, ++0x4d, ++0x8a, ++0xfa, ++0x0d, ++0x4b, ++0x68, ++0xc3, ++0x95, ++0x11, ++0xba, ++0x6f, ++0x1e, ++0x07, ++0x8c, ++0x85, ++0xc7, ++0xc7, ++0xc9, ++0xc1, ++0x30, ++0xa3, ++0x70, ++0xb0, ++0xa1, ++0xe0, ++0xd5, ++0x85, ++0x15, ++0x94, ++0x77, ++0xc1, ++0x1c, ++0x91, ++0xf1, ++0x5f, ++0x50, ++0xcd, ++0x2c, ++0x57, ++0x4b, ++0x22, ++0x4f, ++0xee, ++0x95, ++0xd7, ++0xa7, ++0xa4, ++0x59, ++0x62, ++0xae, ++0xb9, ++0xbf, ++0xd7, ++0x63, ++0x5a, ++0x04, ++0xfc, ++0x24, ++0x11, ++0xae, ++0x34, ++0x4b, ++0xf4, ++0x0c, ++0x9f, ++0x0b, ++0x59, ++0x7d, ++0x27, ++0x39, ++0x54, ++0x69, ++0x4f, ++0xfd, ++0x6e, ++0x44, ++0x9f, ++0x21, +-- +2.25.1 + diff --git a/debian/patches/debian/yama-disable-by-default.patch b/debian/patches/debian/yama-disable-by-default.patch new file mode 100644 index 000000000..c33ac0c9d --- /dev/null +++ b/debian/patches/debian/yama-disable-by-default.patch @@ -0,0 +1,32 @@ +From: Ben Hutchings <ben@decadent.org.uk> +Subject: yama: Disable by default +Date: Wed, 19 Jun 2013 04:35:28 +0100 +Bug-Debian: https://bugs.debian.org/712740 +Forwarded: not-needed + +--- + security/yama/yama_lsm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c +index efac68556b45..95ff3e778a17 100644 +--- a/security/yama/yama_lsm.c ++++ b/security/yama/yama_lsm.c +@@ -28,7 +28,7 @@ + #define YAMA_SCOPE_CAPABILITY 2 + #define YAMA_SCOPE_NO_ATTACH 3 + +-static int ptrace_scope = YAMA_SCOPE_RELATIONAL; ++static int ptrace_scope = YAMA_SCOPE_DISABLED; + + /* describe a ptrace relationship for potential exception */ + struct ptrace_relation { +@@ -481,7 +481,7 @@ static inline void yama_init_sysctl(void) { } + + static int __init yama_init(void) + { +- pr_info("Yama: becoming mindful.\n"); ++ pr_info("Yama: disabled by default; enable with sysctl kernel.yama.*\n"); + security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama"); + yama_init_sysctl(); + return 0; |