From patchwork Thu Feb 21 16:59:32 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1046298 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44510v3h0Cz9sDL; Fri, 22 Feb 2019 03:59:43 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1gwrhC-0006VJ-Cg; Thu, 21 Feb 2019 16:59:38 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1gwrh9-0006UK-Nz for kernel-team@lists.ubuntu.com; Thu, 21 Feb 2019 16:59:35 +0000 Received: from [194.204.107.10] (helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1gwrh9-0001wl-Cv for kernel-team@lists.ubuntu.com; Thu, 21 Feb 2019 16:59:35 +0000 From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [precise/lts-trusty 1/2] UBUNTU: Packaging: Introduce copy-files and local-mangle Date: Thu, 21 Feb 2019 13:59:32 -0300 Message-Id: <20190221165933.5616-2-cascardo@canonical.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190221165933.5616-1-cascardo@canonical.com> References: <20190221165933.5616-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1786013 Two new scripts are introduced in order to do some of the copying and mangling of copies that update-from-*master does. One of the changes on copy-files compared to update-from-*master is that the -c option is given to rsync, so it compares checksums of files in order to decide whether they are different and need an update. That's necessary because sometimes files will have the same size and their modified time will be whithin one second or the original file will be older because git checked it out earlier. The script is split in two so the copy-files may be shared between different kernel tress and the very specific changes are done on the local-mangle file, which is different between trees. Also, in order to make the copy-files the same one for all trees, some of the copies and updates are dependent on a local.conf file, which is present only on those trees where it's needed. The contents of those files are not so easily generated, so they are not part of update.conf. Signed-off-by: Thadeu Lima de Souza Cascardo --- debian.trusty/changelog | 67 +++++++++------------- debian.trusty/etc/local.conf | 2 + debian.trusty/scripts/helpers/copy-files | 67 ++++++++++++++++++++++ debian.trusty/scripts/helpers/local-mangle | 36 ++++++++++++ 4 files changed, 133 insertions(+), 39 deletions(-) create mode 100644 debian.trusty/etc/local.conf create mode 100755 debian.trusty/scripts/helpers/copy-files create mode 100755 debian.trusty/scripts/helpers/local-mangle diff --git a/debian.trusty/changelog b/debian.trusty/changelog index 9b6de3ec0a3d..b2221fa2ea9b 100644 --- a/debian.trusty/changelog +++ b/debian.trusty/changelog @@ -1,21 +1,7 @@ linux-lts-trusty (3.13.0-166.216~precise1) precise; urgency=medium - * linux-lts-trusty: 3.13.0-166.216~precise1 -proposed tracker (LP: #1814646) - - * linux-buildinfo: pull out ABI information into its own package - (LP: #1806380) - - [Config] resync flavour-control.stub - - [Config] hooks.mk -- add basic LTS hook configuration - - * signing: only install a signed kernel (LP: #1764794) - - [debian] fix check for the reconstruct file - - * Packaging resync (LP: #1786013) - - [Packaging] update helper scripts - - [ Ubuntu: 3.13.0-166.216 ] - * linux: 3.13.0-166.216 -proposed tracker (LP: #1814645) + * linux-buildinfo: pull out ABI information into its own package (LP: #1806380) - [Packaging] limit preparation to linux-libc-dev in headers @@ -29,6 +15,7 @@ linux-lts-trusty (3.13.0-166.216~precise1) precise; urgency=medium - [Packaging] getabis -- handle all known package combinations - [Packaging] getabis -- support parsing a simple version - [Packaging] autoreconstruct -- base tag is always primary mainline version + * signing: only install a signed kernel (LP: #1764794) - [Debian] usbip tools packaging - [Debian] Don't fail if a symlink already exists @@ -66,66 +53,66 @@ linux-lts-trusty (3.13.0-166.216~precise1) precise; urgency=medium - [debian] do not force do_tools_common - [Packaging] skip cloud tools packaging when not building package - [debian] prep linux-libc-dev only if do_libc_dev_package=true + * Packaging resync (LP: #1786013) - [Packaging] update helper scripts + * kernel oops in bcache module (LP: #1793901) - SAUCE: bcache: never writeback a discard operation + * iptables connlimit allows more connections than the limit when using multiple CPUs (LP: #1811094) - netfilter: connlimit: improve packet-to-closed-connection logic - netfilter: nf_conncount: fix garbage collection confirm race - netfilter: nf_conncount: don't skip eviction when age is negative + * CVE-2019-6133 - fork: record start_time late + * test_095_kernel_symbols_missing_proc_self_stack failed on P-LTS (LP: #1813001) - procfs: make /proc/*/{stack, syscall, personality} 0400 - -- Kleber Sacilotto de Souza Thu, 14 Feb 2019 14:11:08 +0000 - -linux-lts-trusty (3.13.0-165.215~precise1) precise; urgency=medium - - * linux-lts-trusty: 3.13.0-165.215~precise1 -proposed tracker (LP: #1811857) - - * Packaging resync (LP: #1786013) - - [Packaging] update helper scripts + -- Kleber Sacilotto de Souza Thu, 07 Feb 2019 11:31:21 +0000 - [ Ubuntu: 3.13.0-165.215 ] +linux (3.13.0-165.215) trusty; urgency=medium * linux: 3.13.0-165.215 -proposed tracker (LP: #1811856) + * CVE-2018-17972 - proc: restrict kernel stack dumps to root + * CVE-2018-18281 - mremap: properly flush TLB before releasing the page + * 29d6d30f5c8aa58b04f40a58442df3bcaae5a1d5 in btrfs_kernel_fixes failed on T (LP: #1809868) - Btrfs: send, don't send rmdir for same target multiple times + * CVE-2018-9568 - net: Set sk_prot_creator when cloning sockets to the right proto + * CVE-2018-1066 - cifs: empty TargetInfo leads to crash on recovery - -- Stefan Bader Fri, 18 Jan 2019 18:07:01 +0100 - -linux-lts-trusty (3.13.0-164.214~precise1) precise; urgency=medium - - * linux-lts-trusty: 3.13.0-164.214~precise1 -proposed tracker (LP: #1806429) - - * Packaging resync (LP: #1786013) - - [Packaging] update helper scripts - - [Packaging] update update.conf + -- Khalid Elmously Wed, 16 Jan 2019 06:19:08 +0000 - [ Ubuntu: 3.13.0-164.214 ] +linux (3.13.0-164.214) trusty; urgency=medium * linux: 3.13.0-164.214 -proposed tracker (LP: #1806428) + * CVE-2018-12896 - posix-timers: Sanitize overrun handling + * CVE-2018-16276 - USB: yurex: fix out-of-bounds uaccess in read handler + * CVE-2018-10902 - ALSA: rawmidi: Change resized buffers atomically + * CVE-2018-18386 - n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD) + * CVE-2017-5753 - x86/spectre_v1: Disable compiler optimizations over array_index_mask_nospec() @@ -152,21 +139,23 @@ linux-lts-trusty (3.13.0-164.214~precise1) precise; urgency=medium - fs/quota: Fix spectre gadget in do_quotactl - misc: hmc6352: fix potential Spectre v1 - tty: vt_ioctl: fix potential Spectre v1 + * CVE-2018-18710 - cdrom: fix improper type cast, which can leat to information leak. + * CVE-2018-18690 - xfs: don't fail when converting shortform attr to long form during ATTR_REPLACE + * CVE-2018-14734 - infiniband: fix a possible use-after-free bug + * CVE-2017-2647 // CVE-2017-2647 / CVE-2017-6951 - keys: Guard against null match function in keyring_search_aux() - -- Kleber Sacilotto de Souza Thu, 06 Dec 2018 16:26:39 +0000 - -linux-lts-trusty (3.13.0-163.213~precise1) precise; urgency=medium + -- Khalid Elmously Wed, 05 Dec 2018 06:47:30 +0000 - * linux-lts-trusty: 3.13.0-163.213~precise1 -proposed tracker (LP: #1802772) +linux (3.13.0-163.213) trusty; urgency=medium * linux: 3.13.0-163.213 -proposed tracker (LP: #1802769) @@ -181,7 +170,7 @@ linux-lts-trusty (3.13.0-163.213~precise1) precise; urgency=medium * Packaging resync (LP: #1786013) - [Package] add support for specifying the primary makefile - -- Juerg Haefliger Thu, 15 Nov 2018 08:53:52 +0100 + -- Thadeu Lima de Souza Cascardo Tue, 13 Nov 2018 13:30:30 -0200 linux (3.13.0-162.212) trusty; urgency=medium diff --git a/debian.trusty/etc/local.conf b/debian.trusty/etc/local.conf new file mode 100644 index 000000000000..81ef3a7f79cf --- /dev/null +++ b/debian.trusty/etc/local.conf @@ -0,0 +1,2 @@ +SKIP_RULES_D=1 +FOREIGN_ARCHES="x32 arm64 powerpc ppc64el" diff --git a/debian.trusty/scripts/helpers/copy-files b/debian.trusty/scripts/helpers/copy-files new file mode 100755 index 000000000000..0ce0afe84578 --- /dev/null +++ b/debian.trusty/scripts/helpers/copy-files @@ -0,0 +1,67 @@ +#!/bin/bash -eu + +if [ -f debian/debian.env ]; then + # shellcheck disable=SC1091 + . debian/debian.env +fi + +if [ ! -d "${DEBIAN}" ]; then + echo You must run this script from the top directory of this repository. + exit 1 +fi + +CONF="${DEBIAN}"/etc/update.conf +if [ -f "${CONF}" ]; then + # shellcheck disable=SC1090 + . "${CONF}" +fi + +FOREIGN_ARCHES="" +LOCAL_CONF="${DEBIAN}/etc/local.conf" +if [ -f "${LOCAL_CONF}" ]; then + # shellcheck disable=SC1090 + . "${LOCAL_CONF}" +fi + +SKIP_RULES_D=${SKIP_RULES_D:-} + +# +# Pick up any master branch changes to udeb modules or firmware. +# +rsync -avc --delete "${DEBIAN_MASTER}/d-i/" "${DEBIAN}/d-i" + +# +# Update configs from master +# +rsync -avc --delete "${DEBIAN_MASTER}/config/" "${DEBIAN}/config" + +# +# Update package and DTB settings from master. +# +if [ -z "${SKIP_RULES_D}" ] ; then + rsync -avc "${DEBIAN_MASTER}/rules.d/"*.mk "${DEBIAN}/rules.d/" +fi + +# Remove the .mk files from the arch's that are not supported +for i in ${FOREIGN_ARCHES} +do + rm -f "${DEBIAN}/rules.d/${i}.mk" + git rm -f --ignore-unmatch "${DEBIAN}/rules.d/${i}.mk" || true +done + +# +# Update modprobe.d from master +# +# Some releases (trusty) don't have this directory, and rsync would fail +# without this check. +if [ -d "${DEBIAN}/modprobe.d/" ]; then + rsync -avc --delete "${DEBIAN_MASTER}/modprobe.d/" "${DEBIAN}/modprobe.d" +fi + +cp -p "${DEBIAN_MASTER}/control.d/"*.inclusion-list "${DEBIAN}/control.d" + +cp -p "${DEBIAN_MASTER}/reconstruct" "${DEBIAN}/reconstruct" + +if [ -x "${DEBIAN}/scripts/helpers/local-mangle" ]; then + "./${DEBIAN}/scripts/helpers/local-mangle" +fi diff --git a/debian.trusty/scripts/helpers/local-mangle b/debian.trusty/scripts/helpers/local-mangle new file mode 100755 index 000000000000..d9b9c80b1fda --- /dev/null +++ b/debian.trusty/scripts/helpers/local-mangle @@ -0,0 +1,36 @@ +#!/bin/bash -eu + +# shellcheck disable=SC1091 +. debian/debian.env + +# +# Make sure signed module enforcement stays off until user space is ready. +# +sed -i 's/CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y/CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=n/' "${DEBIAN}/config/config.common.ubuntu" + +# +# Build in these 2 modules for arm in order to avoid +# a missing __aeabi_uldivmod symbol. +# +for i in CONFIG_MEGARAID_LEGACY CONFIG_MEGARAID_MAILBOX CONFIG_MEGARAID_MM CONFIG_MEGARAID_NEWGEN CONFIG_MEGARAID_SAS +do + echo "$i=n" >> "${DEBIAN}/config/armhf/config.common.armhf" +done +# Drop lowlatency +sed -i 's/lowlatency//g' "${DEBIAN}/rules.d/"*.mk +# shellcheck disable=SC2043 +for i in lowlatency +do + find "${DEBIAN}/config" | grep "$i" | xargs rm -f + find "${DEBIAN}/control.d" | grep "$i" | xargs rm -f +done +# Make sure CONFIG_SECURITY_APPARMOR_AA3_SEMANTICS=n +sed -i 's/CONFIG_SECURITY_APPARMOR_AA3_SEMANTICS=y/CONFIG_SECURITY_APPARMOR_AA3_SEMANTICS=n/' "${DEBIAN}/config/config."* "${DEBIAN}/config/"*/config.* + +# Original update-from-trusty-master did not copy inclusion list files. +# Now that the new script does, we should remove it, otherwise we start +# generating linux-modules-extra package, which might break users of a very +# stable distribution. +rm -f "${DEBIAN}/control.d/"*.inclusion-list + +rm -f "${DEBIAN}/d-i/kernel-versions"