@@ -1,6 +1,6 @@

 Summary:	Linux API header files

 Name:		linux-api-headers

-Version:	4.9.34

+Version:	4.9.43

 Release:	1%{?dist}

 License:	GPLv2

 URL:		http://www.kernel.org/

@@ -8,7 +8,7 @@ Group:		System Environment/Kernel

 Vendor:		VMware, Inc.

 Distribution: Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=d02dc269e67eae329043c9aa7d6c2d6182950c2f

+%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5

 BuildArch:	noarch

 %description

 The Linux API Headers expose the kernel's API for use by Glibc.

@@ -25,6 +25,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de

 %defattr(-,root,root)

 %{_includedir}/*

 %changelog

+*   Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1

+-   Version update

 *   Wed Jun 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.34-1

 -   Version update

 *   Fri May 26 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.30-1

new file mode 100644

@@ -0,0 +1,93 @@

+From: Serge Hallyn <serge.hallyn@canonical.com>

+Date: Fri, 31 May 2013 19:12:12 +0000 (+0100)

+Subject: add sysctl to disallow unprivileged CLONE_NEWUSER by default

+Origin: http://kernel.ubuntu.com/git?p=serge%2Fubuntu-saucy.git;a=commit;h=5c847404dcb2e3195ad0057877e1422ae90892b8

+

+add sysctl to disallow unprivileged CLONE_NEWUSER by default

+

+This is a short-term patch.  Unprivileged use of CLONE_NEWUSER

+is certainly an intended feature of user namespaces.  However

+for at least saucy we want to make sure that, if any security

+issues are found, we have a fail-safe.

+

+Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

+[bwh: Remove unneeded binary sysctl bits]

+---

+--- a/kernel/fork.c

+@@ -87,6 +87,11 @@

+ 

+ #define CREATE_TRACE_POINTS

+ #include <trace/events/task.h>

++#ifdef CONFIG_USER_NS

++extern int unprivileged_userns_clone;

++#else

++#define unprivileged_userns_clone 0

++#endif

+ 

+ /*

+  * Minimum number of threads to boot the kernel

+@@ -1252,6 +1257,10 @@ static struct task_struct *copy_process(

+ 	if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))

+ 		return ERR_PTR(-EINVAL);

+ 

++	if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)

++		if (!capable(CAP_SYS_ADMIN))

++			return ERR_PTR(-EPERM);

++

+ 	/*

+ 	 * Thread groups must share signals as well, and detached threads

+ 	 * can only be started up within the thread group.

+@@ -1944,6 +1953,12 @@ SYSCALL_DEFINE1(unshare, unsigned long,

+ 	if (unshare_flags & CLONE_NEWNS)

+ 		unshare_flags |= CLONE_FS;

+ 

++	if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {

++		err = -EPERM;

++		if (!capable(CAP_SYS_ADMIN))

++			goto bad_unshare_out;

++	}

++

+ 	err = check_unshare_flags(unshare_flags);

+ 	if (err)

+ 		goto bad_unshare_out;

+--- a/kernel/sysctl.c

+@@ -102,6 +102,9 @@ extern int core_uses_pid;

+ extern char core_pattern[];

+ extern unsigned int core_pipe_limit;

+ #endif

++#ifdef CONFIG_USER_NS

++extern int unprivileged_userns_clone;

++#endif

+ extern int pid_max;

+ extern int pid_max_min, pid_max_max;

+ extern int percpu_pagelist_fraction;

+@@ -489,6 +492,15 @@ static struct ctl_table kern_table[] = {

+ 		.mode		= 0644,

+ 		.proc_handler	= proc_dointvec,

+ 	},

++#endif

++#ifdef CONFIG_USER_NS

++	{

++		.procname	= "unprivileged_userns_clone",

++		.data		= &unprivileged_userns_clone,

++		.maxlen		= sizeof(int),

++		.mode		= 0644,

++		.proc_handler	= proc_dointvec,

++	},

+ #endif

+ #ifdef CONFIG_PROC_SYSCTL

+ 	{

+--- a/kernel/user_namespace.c

+@@ -23,6 +23,9 @@

+ #include <linux/projid.h>

+ #include <linux/fs_struct.h>

+ 

++/* sysctl */

++int unprivileged_userns_clone;

++

+ static struct kmem_cache *user_ns_cachep __read_mostly;

+ static DEFINE_MUTEX(userns_state_mutex);

+ 

deleted file mode 100644

@@ -1,51 +0,0 @@

-From 6399f1fae4ec29fab5ec76070435555e256ca3a6 Mon Sep 17 00:00:00 2001

-From: Sabrina Dubroca <sd@queasysnail.net>

-Date: Wed, 19 Jul 2017 22:28:55 +0200

-Subject: [PATCH] ipv6: avoid overflow of offset in ip6_find_1stfragopt

-

-In some cases, offset can overflow and can cause an infinite loop in

-ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and

-cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.

-

-This problem has been here since before the beginning of git history.

-

-Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>

-Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>

-Signed-off-by: David S. Miller <davem@davemloft.net>

- net/ipv6/output_core.c | 8 ++++++--

- 1 file changed, 6 insertions(+), 2 deletions(-)

-

-diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c

-index e9065b8d3af85..abb2c307fbe83 100644

-+++ b/net/ipv6/output_core.c

-@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident);

- 

- int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)

- {

--	u16 offset = sizeof(struct ipv6hdr);

-+	unsigned int offset = sizeof(struct ipv6hdr);

- 	unsigned int packet_len = skb_tail_pointer(skb) -

- 		skb_network_header(skb);

- 	int found_rhdr = 0;

-@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)

- 

- 	while (offset <= packet_len) {

- 		struct ipv6_opt_hdr *exthdr;

-+		unsigned int len;

- 

- 		switch (**nexthdr) {

- 

-@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)

- 

- 		exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +

- 						 offset);

--		offset += ipv6_optlen(exthdr);

-+		len = ipv6_optlen(exthdr);

-+		if (len + offset >= IPV6_MAXPLEN)

-+			return -EINVAL;

-+		offset += len;

- 		*nexthdr = &exthdr->nexthdr;

- 	}

- 

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux-esx

-Version:        4.9.41

-Release:        2%{?dist}

+Version:        4.9.43

+Release:        1%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=74fe70e8c119fbf67f7f131e92a45a2046ca1908

+%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5

 Source1:        config-esx

 Source2:        initramfs.trigger

 # common

@@ -35,8 +35,7 @@ Patch18:        05-pv-ops-clocksource.patch

 Patch19:        06-pv-ops-boot_clock.patch

 Patch20:        07-vmware-only.patch

 Patch21:        vmware-balloon-late-initcall.patch

-# Fix CVE-2017-7542

-Patch22:        ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch

+Patch22:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

 BuildRequires: bc

 BuildRequires: kbd

 BuildRequires: kmod-devel

@@ -190,6 +189,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1

+-   Version update

+-   [feature] new sysctl option unprivileged_userns_clone

 *   Wed Aug 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-2

 -   [bugfix] Do not fallback to syscall from VDSO on clock_gettime(MONOTONIC)

 -   Fix CVE-2017-7542

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux-secure

-Version:        4.9.41

-Release:        2%{?dist}

+Version:        4.9.43

+Release:        1%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=74fe70e8c119fbf67f7f131e92a45a2046ca1908

+%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5

 Source1:        config-secure

 Source2:        aufs4.9.tar.gz

 %define sha1 aufs=ebe716ce4b638a3772c7cd3161abbfe11d584906

@@ -46,8 +46,7 @@ Patch26:        0014-hv_sock-introduce-Hyper-V-Sockets.patch

 #FIPS patches - allow some algorithms

 Patch27:        0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch

 Patch28:        0002-allow-also-ecb-cipher_null.patch

-# Fix CVE-2017-7542

-Patch29:        ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch

+Patch29:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

 # NSX requirements (should be removed)

 Patch99:        LKCM.patch

 BuildRequires:  bc

@@ -258,6 +257,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1

+-   Version update

+-   [feature] new sysctl option unprivileged_userns_clone

 *   Wed Aug 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-2

 -   Fix CVE-2017-7542

 -   [bugfix] Added ccm,gcm,ghash,lzo crypto modules to avoid

@@ -1,15 +1,15 @@

 %global security_hardening none

 Summary:        Kernel

 Name:           linux

-Version:        4.9.41

-Release:        2%{?dist}

+Version:        4.9.43

+Release:        1%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

 Vendor:         VMware, Inc.

 Distribution: 	Photon

 Source0:        http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz

-%define sha1 linux=74fe70e8c119fbf67f7f131e92a45a2046ca1908

+%define sha1 linux=e61d542f88a842b43ae8daacecf7d854458f57d5

 Source1:	config

 Source2:	initramfs.trigger

 %define ena_version 1.1.3

@@ -43,8 +43,7 @@ Patch23:        0014-hv_sock-introduce-Hyper-V-Sockets.patch

 #FIPS patches - allow some algorithms

 Patch24:        0001-Revert-crypto-testmgr-Disable-fips-allowed-for-authe.patch

 Patch25:        0002-allow-also-ecb-cipher_null.patch

-# Fix CVE-2017-7542

-Patch26:        ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch

+Patch26:        add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

 BuildRequires:  bc

 BuildRequires:  kbd

@@ -298,6 +297,9 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg

 /usr/share/doc/*

 %changelog

+*   Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1

+-   Version update

+-   [feature] new sysctl option unprivileged_userns_clone

 *   Wed Aug 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-2

 -   Fix CVE-2017-7542

 -   [bugfix] Added ccm,gcm,ghash,lzo crypto modules to avoid