# git rev-parse -q --verify aefcf2f4b58155d27340ba5f9ddbe9513da8286d^{commit}
aefcf2f4b58155d27340ba5f9ddbe9513da8286d
already have revision, skipping fetch
# git checkout -q -f -B kisskb aefcf2f4b58155d27340ba5f9ddbe9513da8286d
# git clean -qxdf
# < git log -1
# commit aefcf2f4b58155d27340ba5f9ddbe9513da8286d
# Merge: f1f2f614d535 45893a0abee6
# Author: Linus Torvalds <torvalds@linux-foundation.org>
# Date:   Sat Sep 28 08:14:15 2019 -0700
# 
#     Merge branch 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
#     
#     Pull kernel lockdown mode from James Morris:
#      "This is the latest iteration of the kernel lockdown patchset, from
#       Matthew Garrett, David Howells and others.
#     
#       From the original description:
#     
#         This patchset introduces an optional kernel lockdown feature,
#         intended to strengthen the boundary between UID 0 and the kernel.
#         When enabled, various pieces of kernel functionality are restricted.
#         Applications that rely on low-level access to either hardware or the
#         kernel may cease working as a result - therefore this should not be
#         enabled without appropriate evaluation beforehand.
#     
#         The majority of mainstream distributions have been carrying variants
#         of this patchset for many years now, so there's value in providing a
#         doesn't meet every distribution requirement, but gets us much closer
#         to not requiring external patches.
#     
#       There are two major changes since this was last proposed for mainline:
#     
#        - Separating lockdown from EFI secure boot. Background discussion is
#          covered here: https://lwn.net/Articles/751061/
#     
#        -  Implementation as an LSM, with a default stackable lockdown LSM
#           module. This allows the lockdown feature to be policy-driven,
#           rather than encoding an implicit policy within the mechanism.
#     
#       The new locked_down LSM hook is provided to allow LSMs to make a
#       policy decision around whether kernel functionality that would allow
#       tampering with or examining the runtime state of the kernel should be
#       permitted.
#     
#       The included lockdown LSM provides an implementation with a simple
#       policy intended for general purpose use. This policy provides a coarse
#       level of granularity, controllable via the kernel command line:
#     
#         lockdown={integrity|confidentiality}
#     
#       Enable the kernel lockdown feature. If set to integrity, kernel features
#       that allow userland to modify the running kernel are disabled. If set to
#       confidentiality, kernel features that allow userland to extract
#       confidential information from the kernel are also disabled.
#     
#       This may also be controlled via /sys/kernel/security/lockdown and
#       overriden by kernel configuration.
#     
#       New or existing LSMs may implement finer-grained controls of the
#       lockdown features. Refer to the lockdown_reason documentation in
#       include/linux/security.h for details.
#     
#       The lockdown feature has had signficant design feedback and review
#       across many subsystems. This code has been in linux-next for some
#       weeks, with a few fixes applied along the way.
#     
#       Stephen Rothwell noted that commit 9d1f8be5cf42 ("bpf: Restrict bpf
#       when kernel lockdown is in confidentiality mode") is missing a
#       Signed-off-by from its author. Matthew responded that he is providing
#       this under category (c) of the DCO"
#     
#     * 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (31 commits)
#       kexec: Fix file verification on S390
#       security: constify some arrays in lockdown LSM
#       lockdown: Print current->comm in restriction messages
#       efi: Restrict efivar_ssdt_load when the kernel is locked down
#       tracefs: Restrict tracefs when the kernel is locked down
#       debugfs: Restrict debugfs when the kernel is locked down
#       kexec: Allow kexec_file() with appropriate IMA policy when locked down
#       lockdown: Lock down perf when in confidentiality mode
#       bpf: Restrict bpf when kernel lockdown is in confidentiality mode
#       lockdown: Lock down tracing and perf kprobes when in confidentiality mode
#       lockdown: Lock down /proc/kcore
#       x86/mmiotrace: Lock down the testmmiotrace module
#       lockdown: Lock down module params that specify hardware parameters (eg. ioport)
#       lockdown: Lock down TIOCSSERIAL
#       lockdown: Prohibit PCMCIA CIS storage when the kernel is locked down
#       acpi: Disable ACPI table override if the kernel is locked down
#       acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down
#       ACPI: Limit access to custom_method when the kernel is locked down
#       x86/msr: Restrict MSR access when the kernel is locked down
#       x86: Lock down IO port access when the kernel is locked down
#       ...
# < /opt/cross/kisskb/gcc-4.6.3-nolibc/arm-unknown-linux-gnueabi/bin/arm-unknown-linux-gnueabi-gcc --version
# < /opt/cross/kisskb/gcc-4.6.3-nolibc/arm-unknown-linux-gnueabi/bin/arm-unknown-linux-gnueabi-ld --version
# < git log --format=%s --max-count=1 aefcf2f4b58155d27340ba5f9ddbe9513da8286d
# < make -s -j 32 ARCH=arm O=/kisskb/build/linus_mvebu_v7_defconfig_arm CROSS_COMPILE=/opt/cross/kisskb/gcc-4.6.3-nolibc/arm-unknown-linux-gnueabi/bin/arm-unknown-linux-gnueabi-  mvebu_v7_defconfig
# make -s -j 32 ARCH=arm O=/kisskb/build/linus_mvebu_v7_defconfig_arm CROSS_COMPILE=/opt/cross/kisskb/gcc-4.6.3-nolibc/arm-unknown-linux-gnueabi/bin/arm-unknown-linux-gnueabi-  
/kisskb/src/kernel/printk/printk.c: In function 'devkmsg_sysctl_set_loglvl':
/kisskb/src/kernel/printk/printk.c:204:16: warning: 'old' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/kernel/rcu/srcutree.c: In function 'init_srcu_struct_fields':
/kisskb/src/kernel/rcu/srcutree.c:140:32: warning: 'levelspread[<Ud000>]' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/kernel/rcu/srcutree.c:88:6: note: 'levelspread[<Ud000>]' was declared here
/kisskb/src/sound/soc/soc-pcm.c: In function 'soc_pcm_trigger':
/kisskb/src/sound/soc/soc-pcm.c:1074:5: warning: 'ret' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/sound/soc/soc-pcm.c: In function 'soc_pcm_bespoke_trigger':
/kisskb/src/sound/soc/soc-pcm.c:1092:9: warning: 'ret' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/base/regmap/regmap.c: In function 'regmap_raw_read':
/kisskb/src/drivers/base/regmap/regmap.c:2591:6: warning: 'ret' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/drivers/base/regmap/regmap.c: In function '_regmap_raw_write':
/kisskb/src/drivers/base/regmap/regmap.c:1852:6: warning: 'ret' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/fs/proc/inode.c: In function 'proc_reg_open':
/kisskb/src/include/linux/list.h:65:12: warning: 'pdeo' may be used uninitialized in this function [-Wuninitialized]
/kisskb/src/fs/proc/inode.c:338:21: note: 'pdeo' was declared here
/kisskb/src/fs/udf/unicode.c: In function 'udf_name_conv_char':
/kisskb/src/fs/udf/unicode.c:132:8: warning: 'c' may be used uninitialized in this function [-Wuninitialized]
WARNING: "return_address" [vmlinux] is a static EXPORT_SYMBOL_GPL
WARNING: "return_address" [vmlinux] is a static EXPORT_SYMBOL_GPL
Completed OK
# rm -rf /kisskb/build/linus_mvebu_v7_defconfig_arm
# Build took: 0:01:32.489465