This brings in several patches needed to add support for a
memfd_create() syscall into kernel version 3.4 from kernel
version 3.17. This is required for running lxc >= 3.1.0-r1
with security patch that fixes CVE-2019-5736.
In short, security issue was: in a privileged container root
process could overwrite lxc-start executable by opening its
file descriptor and rewriting executable contents. This is
where memfd comes to help: you can create an in-memory file,
copy your executable there, and place a set of SEALS to protect
it from modifying at a deep level. Then you fexecve() that fd
and you're safe.
For example, pulseaudio also can benefit from having
memfd_create() implemented.
This backports the following commits from upstream linux:
- dd37978c50bc8b354e5c4633f69387f16572fdac: cache the value
of file_inode() in struct file
commit from linux-3.10 to have an f_inode member inside
struct file and a helper function file_inode() that is
used in some of the following commits
- 40e041a2c858b3caefc757e26cb85bfceae5062b shm: add sealing API
from 3.17: security measure called SEALS, that you can put
on memfd file to restrict operations on it
- 9183df25fe7b194563db3fec6dc3202a5855839c shm: add memfd_create()
syscall
also from 3.17
- 503e6636b6f96056210062be703356f4253b6db9 asm-generic: add
memfd_create system call to unistd.h
- e57e41931134e09fc6c03c8d4eb19d516cc6e59b ARM: wire up
memfd_create syscall
The last two are needed to make the syscall visible/usable from
userspace, one in generic context, other for ARM arch.
The test program (https://github.com/minlexx/test_memfd/) was
written to verify that this works.
[ci:skip-build]: already built successfully in CI
* fix patch file names and reorder them properly
* add patch to fix framebuffer memory allocation
* add patch to fix compile warning for iptables plugin xt_connbytes
* add patch to properly assign MAC address for USB RNDIS
* add backport patch from upstream about O_PATH file descriptors
[ci:skip-build]: already went through successfully in CI
@drebrez originally based klte port on lineage-16.0 branch (Android 9),
but we need compatibility with Android 7.1, so use lineage-14.1 branch.
Also tidy up downstream kernel config a little bit (pass it through
pmbootstrap kconfig edit, change nothing, exit with saving).
The problem behind swapped red and blue is inverted byte order in
framebuffer driver pixel format.
This patch sets the correct byte order in the framebuffer driver,
solving the swapped red and blue problem.
[ci:skip-build]: already built successfully in CI
Use latest sources from LineageOS, instead of the ones from andip71.
The APKBUILD is modernized to use the devicepkg-dev but unfortunately
compiling with gcc8 it doesn't boot.
The kernel config is updated with the required options to start the
lxc-android container and xf86-video-hwcomposer works
(tested with xfce4).
My plan was to add the firmware-samsung-klte with the subpackages for
the wifi blobs and a precompiled android system.img to use with
libhybris, but my device just died and I'm not able to power it on (I've
probably burnt the Power IC 😢)
This reverts commit ee659a5bb4
and increases the pkgrels of all affected linux pmaports.
I have compiled *every single kernel* that was modified with this
commit, and it worked. That took 12 hours. So I'm pretty confident that
this is a good commit. Let's roll it out and go back to stability \o/
I'll kick off the binary repo building directly after pushing this, but
it will take some time until all binary packages are available again.
[skip ci]: it wouldn't finish in time.
All kernels compile again, after the GCC 8 upgrade.
All 3.x kernels have been changed to use GCC 6 now, because we can't
say for sure that they boot with GCC 8 even if we made them compile
with that newer GCC. If someone wants to test a kernel for a newer
device which they can test, see the instructions on
<https://postmarketos.org/vendorkernel>.
The linux-sony-castor-windy 4.x kernel did not compile out of the box
with the latest GCC, so we set it to GCC 6 as well. This can probably
be fixed easily.
linux-teclast-x80-pro: removed Werror and updated to latest 4.14 kernel
from kernel.org, otherwise this would not compile anymore (tested with
both GCC 6 and 8, probably incompatibility with the latest binutils or
something).
This commit will take too long to compile in CI, so let's [skip ci].
I've compiled all kernels multiple times and fixed them up until all of
them were working again.
Related: #103
* change "pmbootstrap kconfig_check" to "pmbootstrap kconfig check"
* change "pmbootstrap menuconfig" to "pmbootstrap kconfig edit [-x|-g]"
(with legacy alias, because the first syntax was referenced to a lot)
* enable X11 interfaces: -x: xconfig, -g: gconfig
* new function to copy the xauthority file:
pmb.chroot.other.copy_xauthority()
* remove menufconfig() function from the kernel template and all kernel
aports ([skip ci] because it would rebuild all kernels and run out of
time). Alpine has dropped this as well, and it wouldn't work with the
new code anyway.
