This brings in several patches needed to add support for a
memfd_create() syscall into kernel version 3.4 from kernel
version 3.17. This is required for running lxc >= 3.1.0-r1
with security patch that fixes CVE-2019-5736.
In short, security issue was: in a privileged container root
process could overwrite lxc-start executable by opening its
file descriptor and rewriting executable contents. This is
where memfd comes to help: you can create an in-memory file,
copy your executable there, and place a set of SEALS to protect
it from modifying at a deep level. Then you fexecve() that fd
and you're safe.
For example, pulseaudio also can benefit from having
memfd_create() implemented.
This backports the following commits from upstream linux:
- dd37978c50bc8b354e5c4633f69387f16572fdac: cache the value
of file_inode() in struct file
commit from linux-3.10 to have an f_inode member inside
struct file and a helper function file_inode() that is
used in some of the following commits
- 40e041a2c858b3caefc757e26cb85bfceae5062b shm: add sealing API
from 3.17: security measure called SEALS, that you can put
on memfd file to restrict operations on it
- 9183df25fe7b194563db3fec6dc3202a5855839c shm: add memfd_create()
syscall
also from 3.17
- 503e6636b6f96056210062be703356f4253b6db9 asm-generic: add
memfd_create system call to unistd.h
- e57e41931134e09fc6c03c8d4eb19d516cc6e59b ARM: wire up
memfd_create syscall
The last two are needed to make the syscall visible/usable from
userspace, one in generic context, other for ARM arch.
The test program (https://github.com/minlexx/test_memfd/) was
written to verify that this works.
[ci:skip-build]: already built successfully in CI
As Idan Horo wrote in osk-sdl!82:
"Newer versions of cryptsetup automatically encrypt with LUKS v2.
osk-sdl assumes all partitions are encrytped with v1 and as such fails.
By just changing the encryption type to NULL cryptsetup automatically
detects and chooses the correct LUKS version. Tested on xiaomi-kenzo."
Require latest pmbootstrap version, because it supports depends in
depends in the APKBUILD parser, and is able to properly test
UEVENT_HELPER, LBDAP kconfig options (they must depend on the kernel
version).
Let all remaining devices that depend on mesa-dri-freedreno use the new
mesa-freedreno package.
[ci:skip-build]: won't finish in time. I'm verifying that the whole
merge request builds before merging.
Use the new mesa-freedreno package. Configure inittab to start a
terminal on ttyMSM0 (serial). Remove fbdev from xorg.conf and set
SWCursor on.
Based on patches from Brian Masney.
Freedreno is broken in latest mesa stable, but it is fixed in current
master. Let's use master for now.
Based on Brian Masney's patch, but with a hardcoded commit and a
separate package.
[ci:skip-build]: will not finish in time. I've built linux-asus-me176c
and it builds fine. I'm assuming that
linux-teclast-x80pro will also build, since it is
pretty much the vanilla kernel.
Fix wifi on htc-ace by properly setting nl80211 before wext.
/etc/conf.d/wpa_supplicant is supposed to get modified twice with the
current code in the post-install file. The first one was patched
recently to set nl80211 before wext, but that change does not work in
practice, for two reasons:
1. The code block does not even get executed, because apk reports that
/etc/conf.d/wpa_supplicant was already modified (by a package that
was installed before, in its post-install script? I could not find
out which one does that though).
2. Even if it worked, the second code block would revert the change and
put wext before nl80211 again.
Fix this by removing the first code block, and changing the order in the
second one. Make it easier to catch such errors in the future, by
printing, which files get modified, or get skipped. Set "#!/bin/sh -e",
so the script can not fail silently.
When doing pmbootstrap -y zap and then pmbootstrap install, the output
looks like this:
(141/151) Installing postmarketos-base (3-r26)
Executing postmarketos-base-3-r26.post-install
- Modifying: /etc/fstab
- Modifying: /etc/issue
- Modifying: /etc/motd
- Modifying: /etc/conf.d/syslog
- Modifying: /etc/conf.d/wpa_supplicant
- Modifying: /etc/sudoers
- Modifying: /etc/chrony/chrony.conf
Boots succsfully, SSH over USB works fine, display and touch screen
works fine. WiFi is also confirmed to be working.
[ci:skip-build]: already built successfully in CI
