From c32c7cf631a024cc2bdfd2072f4629696a845541 Mon Sep 17 00:00:00 2001 From: Joseph Salisbury Date: Mon, 15 Apr 2024 20:02:17 -0400 Subject: [PATCH] UBUNTU: Ubuntu-realtime-6.8.0-1010.23 Signed-off-by: Joseph Salisbury --- debian.realtime/changelog | 216 ++++++++++++++++++++++++++++- debian.realtime/config/annotations | 12 +- 2 files changed, 220 insertions(+), 8 deletions(-) diff --git a/debian.realtime/changelog b/debian.realtime/changelog index d4f489450dc6..043614ae6548 100644 --- a/debian.realtime/changelog +++ b/debian.realtime/changelog @@ -1,10 +1,216 @@ -linux-realtime (6.8.0-1009.20) UNRELEASED; urgency=medium +linux-realtime (6.8.0-1010.23) noble; urgency=medium - CHANGELOG: Do not edit directly. Autogenerated at release. - CHANGELOG: Use the printchanges target to see the curent changes. - CHANGELOG: Use the insertchanges target to create the final log. + * noble/linux-realtime: 6.8.0-1010.23 -proposed tracker (LP: #2061583) - -- Joseph Salisbury Mon, 15 Apr 2024 19:56:54 -0400 + * Packaging resync (LP: #1786013) + - [Packaging] drop getabis data + - [Packaging] Replace fs/cifs with fs/smb in inclusion list + - [Packaging] debian.realtime/dkms-versions -- update from kernel-versions + (main/d2024.04.04) + + [ Ubuntu: 6.8.0-25.25 ] + + * noble/linux: 6.8.0-25.25 -proposed tracker (LP: #2061083) + * Packaging resync (LP: #1786013) + - [Packaging] debian.master/dkms-versions -- update from kernel-versions + (main/d2024.04.04) + * Apply mitigations for the native BHI hardware vulnerabilty (LP: #2060909) + - x86/cpufeatures: Add new word for scattered features + - x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file + - x86/syscall: Don't force use of indirect calls for system calls + - x86/bhi: Add support for clearing branch history at syscall entry + - x86/bhi: Define SPEC_CTRL_BHI_DIS_S + - x86/bhi: Enumerate Branch History Injection (BHI) bug + - x86/bhi: Add BHI mitigation knob + - x86/bhi: Mitigate KVM by default + - KVM: x86: Add BHI_NO + - x86: set SPECTRE_BHI_ON as default + - [Config] enable spectre_bhi=auto by default + * update apparmor and LSM stacking patch set (LP: #2028253) + - SAUCE: apparmor4.0.0 [01/90]: LSM stacking v39: integrity: disassociate + ima_filter_rule from security_audit_rule + - SAUCE: apparmor4.0.0 [02/90]: LSM stacking v39: SM: Infrastructure + management of the sock security + - SAUCE: apparmor4.0.0 [03/90]: LSM stacking v39: LSM: Add the lsmblob data + structure. + - SAUCE: apparmor4.0.0 [04/90]: LSM stacking v39: IMA: avoid label collisions + with stacked LSMs + - SAUCE: apparmor4.0.0 [05/90]: LSM stacking v39: LSM: Use lsmblob in + security_audit_rule_match + - SAUCE: apparmor4.0.0 [06/90]: LSM stacking v39: LSM: Add lsmblob_to_secctx + hook + - SAUCE: apparmor4.0.0 [07/90]: LSM stacking v39: Audit: maintain an lsmblob + in audit_context + - SAUCE: apparmor4.0.0 [08/90]: LSM stacking v39: LSM: Use lsmblob in + security_ipc_getsecid + - SAUCE: apparmor4.0.0 [09/90]: LSM stacking v39: Audit: Update shutdown LSM + data + - SAUCE: apparmor4.0.0 [10/90]: LSM stacking v39: LSM: Use lsmblob in + security_current_getsecid + - SAUCE: apparmor4.0.0 [11/90]: LSM stacking v39: LSM: Use lsmblob in + security_inode_getsecid + - SAUCE: apparmor4.0.0 [12/90]: LSM stacking v39: Audit: use an lsmblob in + audit_names + - SAUCE: apparmor4.0.0 [13/90]: LSM stacking v39: LSM: Create new + security_cred_getlsmblob LSM hook + - SAUCE: apparmor4.0.0 [14/90]: LSM stacking v39: Audit: Change context data + from secid to lsmblob + - SAUCE: apparmor4.0.0 [15/90]: LSM stacking v39: Netlabel: Use lsmblob for + audit data + - SAUCE: apparmor4.0.0 [16/90]: LSM stacking v39: LSM: Ensure the correct LSM + context releaser + - SAUCE: apparmor4.0.0 [17/90]: LSM stacking v39: LSM: Use lsmcontext in + security_secid_to_secctx + - SAUCE: apparmor4.0.0 [18/90]: LSM stacking v39: LSM: Use lsmcontext in + security_lsmblob_to_secctx + - SAUCE: apparmor4.0.0 [19/90]: LSM stacking v39: LSM: Use lsmcontext in + security_inode_getsecctx + - SAUCE: apparmor4.0.0 [20/90]: LSM stacking v39: LSM: Use lsmcontext in + security_dentry_init_security + - SAUCE: apparmor4.0.0 [21/90]: LSM stacking v39: LSM: + security_lsmblob_to_secctx module selection + - SAUCE: apparmor4.0.0 [22/90]: LSM stacking v39: Audit: Create audit_stamp + structure + - SAUCE: apparmor4.0.0 [23/90]: LSM stacking v39: Audit: Allow multiple + records in an audit_buffer + - SAUCE: apparmor4.0.0 [24/90]: LSM stacking v39: Audit: Add record for + multiple task security contexts + - SAUCE: apparmor4.0.0 [25/90]: LSM stacking v39: audit: multiple subject lsm + values for netlabel + - SAUCE: apparmor4.0.0 [26/90]: LSM stacking v39: Audit: Add record for + multiple object contexts + - SAUCE: apparmor4.0.0 [27/90]: LSM stacking v39: LSM: Remove unused + lsmcontext_init() + - SAUCE: apparmor4.0.0 [28/90]: LSM stacking v39: LSM: Improve logic in + security_getprocattr + - SAUCE: apparmor4.0.0 [29/90]: LSM stacking v39: LSM: secctx provider check + on release + - SAUCE: apparmor4.0.0 [31/90]: LSM stacking v39: LSM: Exclusive secmark usage + - SAUCE: apparmor4.0.0 [32/90]: LSM stacking v39: LSM: Identify which LSM + handles the context string + - SAUCE: apparmor4.0.0 [33/90]: LSM stacking v39: AppArmor: Remove the + exclusive flag + - SAUCE: apparmor4.0.0 [34/90]: LSM stacking v39: LSM: Add mount opts blob + size tracking + - SAUCE: apparmor4.0.0 [35/90]: LSM stacking v39: LSM: allocate mnt_opts blobs + instead of module specific data + - SAUCE: apparmor4.0.0 [36/90]: LSM stacking v39: LSM: Infrastructure + management of the key security blob + - SAUCE: apparmor4.0.0 [37/90]: LSM stacking v39: LSM: Infrastructure + management of the mnt_opts security blob + - SAUCE: apparmor4.0.0 [38/90]: LSM stacking v39: LSM: Correct handling of + ENOSYS in inode_setxattr + - SAUCE: apparmor4.0.0 [39/90]: LSM stacking v39: LSM: Remove lsmblob + scaffolding + - SAUCE: apparmor4.0.0 [40/90]: LSM stacking v39: LSM: Allow reservation of + netlabel + - SAUCE: apparmor4.0.0 [41/90]: LSM stacking v39: LSM: restrict + security_cred_getsecid() to a single LSM + - SAUCE: apparmor4.0.0 [42/90]: LSM stacking v39: Smack: Remove + LSM_FLAG_EXCLUSIVE + - SAUCE: apparmor4.0.0 [43/90]: LSM stacking v39: UBUNTU: SAUCE: apparmor4.0.0 + [12/95]: add/use fns to print hash string hex value + - SAUCE: apparmor4.0.0 [44/90]: patch to provide compatibility with v2.x net + rules + - SAUCE: apparmor4.0.0 [45/90]: add unpriviled user ns mediation + - SAUCE: apparmor4.0.0 [46/90]: Add sysctls for additional controls of unpriv + userns restrictions + - SAUCE: apparmor4.0.0 [47/90]: af_unix mediation + - SAUCE: apparmor4.0.0 [48/90]: Add fine grained mediation of posix mqueues + - SAUCE: apparmor4.0.0 [49/90]: setup slab cache for audit data + - SAUCE: apparmor4.0.0 [50/90]: Improve debug print infrastructure + - SAUCE: apparmor4.0.0 [51/90]: add the ability for profiles to have a + learning cache + - SAUCE: apparmor4.0.0 [52/90]: enable userspace upcall for mediation + - SAUCE: apparmor4.0.0 [53/90]: prompt - lock down prompt interface + - SAUCE: apparmor4.0.0 [54/90]: prompt - allow controlling of caching of a + prompt response + - SAUCE: apparmor4.0.0 [55/90]: prompt - add refcount to audit_node in prep or + reuse and delete + - SAUCE: apparmor4.0.0 [56/90]: prompt - refactor to moving caching to + uresponse + - SAUCE: apparmor4.0.0 [57/90]: prompt - Improve debug statements + - SAUCE: apparmor4.0.0 [58/90]: prompt - fix caching + - SAUCE: apparmor4.0.0 [59/90]: prompt - rework build to use append fn, to + simplify adding strings + - SAUCE: apparmor4.0.0 [60/90]: prompt - refcount notifications + - SAUCE: apparmor4.0.0 [61/90]: prompt - add the ability to reply with a + profile name + - SAUCE: apparmor4.0.0 [62/90]: prompt - fix notification cache when updating + - SAUCE: apparmor4.0.0 [63/90]: prompt - add tailglob on name for cache + support + - SAUCE: apparmor4.0.0 [64/90]: prompt - allow profiles to set prompts as + interruptible + - SAUCE: apparmor4.0.0 [65/90] v6.8 prompt:fixup interruptible + - SAUCE: apparmor4.0.0 [69/90]: add io_uring mediation + - SAUCE: apparmor4.0.0 [70/90]: apparmor: fix oops when racing to retrieve + notification + - SAUCE: apparmor4.0.0 [71/90]: apparmor: fix notification header size + - SAUCE: apparmor4.0.0 [72/90]: apparmor: fix request field from a prompt + reply that denies all access + - SAUCE: apparmor4.0.0 [73/90]: apparmor: open userns related sysctl so lxc + can check if restriction are in place + - SAUCE: apparmor4.0.0 [74/90]: apparmor: cleanup attachment perm lookup to + use lookup_perms() + - SAUCE: apparmor4.0.0 [75/90]: apparmor: remove redundant unconfined check. + - SAUCE: apparmor4.0.0 [76/90]: apparmor: switch signal mediation to using + RULE_MEDIATES + - SAUCE: apparmor4.0.0 [77/90]: apparmor: ensure labels with more than one + entry have correct flags + - SAUCE: apparmor4.0.0 [78/90]: apparmor: remove explicit restriction that + unconfined cannot use change_hat + - SAUCE: apparmor4.0.0 [79/90]: apparmor: cleanup: refactor file_perm() to + provide semantics of some checks + - SAUCE: apparmor4.0.0 [80/90]: apparmor: carry mediation check on label + - SAUCE: apparmor4.0.0 [81/90]: apparmor: convert easy uses of unconfined() to + label_mediates() + - SAUCE: apparmor4.0.0 [82/90]: apparmor: add additional flags to extended + permission. + - SAUCE: apparmor4.0.0 [83/90]: apparmor: add support for profiles to define + the kill signal + - SAUCE: apparmor4.0.0 [84/90]: apparmor: fix x_table_lookup when stacking is + not the first entry + - SAUCE: apparmor4.0.0 [85/90]: apparmor: allow profile to be transitioned + when a user ns is created + - SAUCE: apparmor4.0.0 [86/90]: apparmor: add ability to mediate caps with + policy state machine + - SAUCE: apparmor4.0.0 [87/90]: fixup notify + - SAUCE: apparmor4.0.0 [88/90]: apparmor: add fine grained ipv4/ipv6 mediation + - SAUCE: apparmor4.0.0 [89/90]:apparmor: disable tailglob responses for now + - SAUCE: apparmor4.0.0 [90/90]: apparmor: Fix notify build warnings + - SAUCE: apparmor4.0.0: fix reserved mem for when we save ipv6 addresses + - [Config] disable CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS + * update apparmor and LSM stacking patch set (LP: #2028253) // [FFe] + apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic + (LP: #2032602) + - SAUCE: apparmor4.0.0 [66/90]: prompt - add support for advanced filtering of + notifications + - SAUCE: apparmor4.0.0 [67/90]: userns - add the ability to reference a global + variable for a feature value + - SAUCE: apparmor4.0.0 [68/90]: userns - make it so special unconfined + profiles can mediate user namespaces + * [MTL] x86: Fix Cache info sysfs is not populated (LP: #2049793) + - SAUCE: cacheinfo: Check for null last-level cache info + - SAUCE: cacheinfo: Allocate memory for memory if not done from the primary + CPU + - SAUCE: x86/cacheinfo: Delete global num_cache_leaves + - SAUCE: x86/cacheinfo: Clean out init_cache_level() + * Miscellaneous Ubuntu changes + - SAUCE: apparmor4.0.0: LSM stacking v39: fix build error with + CONFIG_SECURITY=n + - [Config] toolchain version update + + [ Ubuntu: 6.8.0-22.22 ] + + * noble/linux: 6.8.0-22.22 -proposed tracker (LP: #2060238) + + [ Ubuntu: 6.8.0-21.21 ] + + * noble/linux: 6.8.0-21.21 -proposed tracker (LP: #2060225) + * Miscellaneous Ubuntu changes + - [Config] update toolchain version in annotations + + -- Joseph Salisbury Mon, 15 Apr 2024 20:02:17 -0400 linux-realtime (6.8.0-1008.19) noble; urgency=medium diff --git a/debian.realtime/config/annotations b/debian.realtime/config/annotations index 89a9eff7a678..a0b8b47adeb6 100644 --- a/debian.realtime/config/annotations +++ b/debian.realtime/config/annotations @@ -5,6 +5,9 @@ include "../../debian.master/config/annotations" +CONFIG_ARM64_CONTPTE policy<{'arm64': '-'}> +CONFIG_ARM64_CONTPTE note<'Not supported in the real-time kernel'> + CONFIG_BLK_CGROUP_IOLATENCY policy<{'amd64': 'y', 'arm64': 'y'}> CONFIG_BLK_CGROUP_IOLATENCY note<'LP: #1961588'> @@ -35,8 +38,11 @@ CONFIG_RCU_LAZY note<'LP: #2051342'> CONFIG_RCU_LAZY_DEFAULT_OFF policy<{'amd64': '-', 'arm64': '-'}> CONFIG_RCU_LAZY_DEFAULT_OFF note<'LP: #2051342'> -CONFIG_RUST policy<{'amd64': 'n'}> -CONFIG_RUST note<'TODO: update note'> +CONFIG_RUST policy<{'amd64': '-'}> +CONFIG_RUST note<'Disable Rust for realtime'> + +CONFIG_RUST_IS_AVAILABLE policy<{'amd64': '-', 'arm64': '-'}> +CONFIG_RUST_IS_AVAILABLE note<'Disable Rust for realtime'> CONFIG_TIMERLAT_TRACER policy<{'amd64': 'y', 'arm64': 'y'}> CONFIG_TIMERLAT_TRACER note<'LP: #1961588'> @@ -80,7 +86,7 @@ CONFIG_ARCH_WANT_PMD_MKWRITE policy<{'amd64': '-', 'arm64': ' CONFIG_ARM64_ERRATUM_834220 policy<{'arm64': '-'}> CONFIG_AX88796B_RUST_PHY policy<{'amd64': '-'}> CONFIG_BINDGEN_VERSION_TEXT policy<{'amd64': '-'}> -CONFIG_CC_VERSION_TEXT policy<{'amd64': '"x86_64-linux-gnu-gcc-13 (Ubuntu 13.2.0-23ubuntu4) 13.2.0"', 'arm64': '"aarch64-linux-gnu-gcc-13 (Ubuntu 13.2.0-23ubuntu2) 13.2.0"'}> +CONFIG_CC_VERSION_TEXT policy<{'amd64': '"x86_64-linux-gnu-gcc-13 (Ubuntu 13.2.0-17ubuntu2) 13.2.0"', 'arm64': '"aarch64-linux-gnu-gcc-13 (Ubuntu 13.2.0-11ubuntu1) 13.2.0"'}> CONFIG_CEC_GPIO policy<{'amd64': 'm', 'arm64': 'n'}> CONFIG_CEC_PIN policy<{'amd64': 'y', 'arm64': '-'}> CONFIG_CEC_PIN_ERROR_INJ policy<{'amd64': 'y', 'arm64': '-'}>