From 836c35ce52830f30be85e188b12274d74eae0d74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikola=20Forr=C3=B3?= Date: Mon, 2 Nov 2020 16:55:55 +0100 Subject: [PATCH] update to 5.09 - resolves: #1893576 --- .gitignore | 1 + man-pages-5.04-kernel_lockdown.patch | 113 --------------------------- man-pages.spec | 9 ++- sources | 2 +- 4 files changed, 7 insertions(+), 118 deletions(-) delete mode 100644 man-pages-5.04-kernel_lockdown.patch diff --git a/.gitignore b/.gitignore index 81bf040..0985e9c 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,4 @@ /man-pages-5.06.tar.xz /man-pages-5.07.tar.xz /man-pages-5.08.tar.xz +/man-pages-5.09.tar.xz diff --git a/man-pages-5.04-kernel_lockdown.patch b/man-pages-5.04-kernel_lockdown.patch deleted file mode 100644 index c38a2b4..0000000 --- a/man-pages-5.04-kernel_lockdown.patch +++ /dev/null @@ -1,113 +0,0 @@ -diff --git a/man7/kernel_lockdown.7 b/man7/kernel_lockdown.7 -new file mode 100644 -index 0000000..5ec4289 ---- /dev/null -+++ b/man7/kernel_lockdown.7 -@@ -0,0 +1,107 @@ -+.\" -+.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. -+.\" Written by David Howells (dhowells@redhat.com) -+.\" -+.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA) -+.\" This program is free software; you can redistribute it and/or -+.\" modify it under the terms of the GNU General Public License -+.\" as published by the Free Software Foundation; either version -+.\" 2 of the License, or (at your option) any later version. -+.\" %%%LICENSE_END -+.\" -+.TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual" -+.SH NAME -+Kernel Lockdown \- Kernel image access prevention feature -+.SH DESCRIPTION -+The Kernel Lockdown feature is designed to prevent both direct and indirect -+access to a running kernel image, attempting to protect against unauthorised -+modification of the kernel image and to prevent access to security and -+cryptographic data located in kernel memory, whilst still permitting driver -+modules to be loaded. -+.P -+Lockdown is typically enabled during boot and may be terminated, if configured, -+by typing a special key combination on a directly attached physical keyboard. -+.P -+If a prohibited or restricted feature is accessed or used, the kernel will emit -+a message that looks like: -+.P -+.RS -+ Lockdown: X: Y is restricted, see man kernel_lockdown.7 -+.RE -+.P -+where X indicates the process name and Y indicates what is restricted. -+.P -+On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled -+if the system boots in EFI Secure Boot mode. -+.P -+If the kernel is appropriately configured, lockdown may be lifted by typing the -+appropriate sequence on a directly attached physical keyboard. For x86 -+machines, this is -+.IR SysRq+x . -+.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" -+.SH COVERAGE -+When lockdown is in effect, a number of features are disabled or have their use -+restricted. This includes special device files and kernel services that allow -+direct access of the kernel image: -+.P -+.RS -+/dev/mem -+.br -+/dev/kmem -+.br -+/dev/kcore -+.br -+/dev/ioports -+.br -+BPF -+.br -+kprobes -+.RE -+.P -+and the ability to directly configure and control devices, so as to prevent the -+use of a device to access or modify a kernel image: -+.P -+.RS -+The use of module parameters that directly specify hardware parameters to -+drivers through the kernel command line or when loading a module. -+.P -+The use of direct PCI BAR access. -+.P -+The use of the ioperm and iopl instructions on x86. -+.P -+The use of the KD*IO console ioctls. -+.P -+The use of the TIOCSSERIAL serial ioctl. -+.P -+The alteration of MSR registers on x86. -+.P -+The replacement of the PCMCIA CIS. -+.P -+The overriding of ACPI tables. -+.P -+The use of ACPI error injection. -+.P -+The specification of the ACPI RDSP address. -+.P -+The use of ACPI custom methods. -+.RE -+.P -+Certain facilities are restricted: -+.P -+.RS -+Only validly signed modules may be loaded (waived if the module file being -+loaded is vouched for by IMA appraisal). -+.P -+Only validly signed binaries may be kexec'd (waived if the binary image file to -+be executed is vouched for by IMA appraisal). -+.P -+Unencrypted hibernation/suspend to swap are disallowed as the kernel image is -+saved to a medium that can then be accessed. -+.P -+Use of debugfs is not permitted as this allows a whole range of actions -+including direct configuration of, access to and driving of hardware. -+.P -+IMA requires the addition of the "secure_boot" rules to the policy, whether or -+not they are specified on the command line, for both the builtin and custom -+policies in secure boot lockdown mode. -+.RE diff --git a/man-pages.spec b/man-pages.spec index e543fe9..c82c712 100644 --- a/man-pages.spec +++ b/man-pages.spec @@ -6,7 +6,7 @@ Summary: Linux kernel and C library user-space interface documentation Name: man-pages -Version: 5.08 +Version: 5.09 Release: 1%{?dist} License: GPL+ and GPLv2+ and BSD and MIT and Copyright only and IEEE URL: http://www.kernel.org/doc/man-pages/ @@ -41,8 +41,6 @@ Patch0: man-pages-posix-2013-a-pthread_once.patch # resolves: #650985 # https://bugzilla.kernel.org/show_bug.cgi?id=53781 Patch21: man-pages-3.42-close.patch -# resolves: #1797591 -Patch22: man-pages-5.04-kernel_lockdown.patch %description A large collection of manual pages from the Linux Documentation Project (LDP). @@ -52,7 +50,6 @@ A large collection of manual pages from the Linux Documentation Project (LDP). %patch0 -p1 %patch21 -p1 -%patch22 -p1 # rename posix README so we don't have conflict mv %{posix_name}/README %{posix_name}/%{posix_name}.README @@ -118,6 +115,10 @@ fi %{_mandir}/man*/* %changelog +* Mon Nov 02 2020 Nikola Forró - 5.09-1 +- update to 5.09 + resolves: #1893576 + * Mon Aug 17 2020 Nikola Forró - 5.08-1 - update to 5.08 resolves: #1868674 diff --git a/sources b/sources index d6af194..13dfa0a 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (man-pages-posix-2013-a.tar.xz) = e6ec8eb57269fadf368aeaac31b5a98b9c71723d4d5cc189f9c4642d6e865c88e44f77481dccbdb72e31526488eb531f624d455016361687a834ccfcac19fa14 SHA512 (man-pages-additional-20140218.tar.xz) = c7874db32a9bdefaea6c6be6549e6e6538fa1d93260bf342dd0d9821fa05754aa79a723e701493c81b2e1f460918429eb9b5edb704b55878b1e5ed585a3ff07d -SHA512 (man-pages-5.08.tar.xz) = fbd54c96c3ef1272f856a27d2258fefd3934d9f6ef60c243a824377769c4784b65aba54d680bb382371b0ce35fd4d065b17980cb535118e7986844f19afd7932 +SHA512 (man-pages-5.09.tar.xz) = fa5684c316326afd2056876c174e4f2c8baa18d76bfc2f63009903f09f93b4c204fb0773e0991b5247e50596b2da7e232c5087121a0c938a072af8c77848686f