diff --git a/pkg/debian/kernel/0001-Export-symbols-needed-by-Android-drivers.patch b/pkg/debian/kernel/0001-Export-symbols-needed-by-Android-drivers.patch deleted file mode 100644 index d5e93c89a..000000000 --- a/pkg/debian/kernel/0001-Export-symbols-needed-by-Android-drivers.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 408551029a78a655c5fea864b45a8e370d7d9e8c Mon Sep 17 00:00:00 2001 -From: Ben Hutchings -Date: Mon, 7 Sep 2020 02:51:53 +0100 -Subject: [PATCH 1/2] Export symbols needed by Android drivers - -We want to enable use of the Android ashmem and binder drivers to -support Anbox, but they should not be built-in as that would waste -resources and increase security attack surface on systems that don't -need them. - -Export the currently un-exported symbols they depend on. ---- - fs/file.c | 1 + - kernel/sched/core.c | 1 + - kernel/sched/wait.c | 1 + - kernel/task_work.c | 1 + - mm/memory.c | 1 + - mm/shmem.c | 1 + - security/security.c | 4 ++++ - 7 files changed, 10 insertions(+) - -diff --git a/fs/file.c b/fs/file.c -index 3e4a4dfa38fca..bdded3fcdbd87 100644 ---- a/fs/file.c -+++ b/fs/file.c -@@ -816,6 +816,7 @@ struct file *close_fd_get_file(unsigned int fd) - - return file; - } -+EXPORT_SYMBOL_GPL(close_fd_get_file); - - void do_close_on_exec(struct files_struct *files) - { -diff --git a/kernel/sched/core.c b/kernel/sched/core.c -index 802551e0009bf..2698c78062b2f 100644 ---- a/kernel/sched/core.c -+++ b/kernel/sched/core.c -@@ -7253,6 +7253,7 @@ static bool is_nice_reduction(const struct task_struct *p, const int nice) - - return (nice_rlim <= task_rlimit(p, RLIMIT_NICE)); - } -+EXPORT_SYMBOL_GPL(can_nice); - - /* - * can_nice - check if a task can reduce its nice value -diff --git a/kernel/sched/wait.c b/kernel/sched/wait.c -index 802d98cf2de31..8eec46f066d86 100644 ---- a/kernel/sched/wait.c -+++ b/kernel/sched/wait.c -@@ -252,6 +252,7 @@ void __wake_up_pollfree(struct wait_queue_head *wq_head) - /* POLLFREE must have cleared the queue. */ - WARN_ON_ONCE(waitqueue_active(wq_head)); - } -+EXPORT_SYMBOL_GPL(__wake_up_pollfree); - - /* - * Note: we use "set_current_state()" _after_ the wait-queue add, -diff --git a/kernel/task_work.c b/kernel/task_work.c -index 95a7e1b7f1dab..972c3280337e8 100644 ---- a/kernel/task_work.c -+++ b/kernel/task_work.c -@@ -73,6 +73,7 @@ int task_work_add(struct task_struct *task, struct callback_head *work, - - return 0; - } -+EXPORT_SYMBOL_GPL(task_work_add); - - /** - * task_work_cancel_match - cancel a pending work added by task_work_add() -diff --git a/mm/memory.c b/mm/memory.c -index 517221f013035..b747095cfea68 100644 ---- a/mm/memory.c -+++ b/mm/memory.c -@@ -1770,6 +1770,7 @@ void zap_page_range_single(struct vm_area_struct *vma, unsigned long address, - tlb_finish_mmu(&tlb); - hugetlb_zap_end(vma, details); - } -+EXPORT_SYMBOL_GPL(zap_page_range_single); - - /** - * zap_vma_ptes - remove ptes mapping the vma -diff --git a/mm/shmem.c b/mm/shmem.c -index 69595d3418829..e155894de651c 100644 ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -4871,6 +4871,7 @@ int shmem_zero_setup(struct vm_area_struct *vma) - - return 0; - } -+EXPORT_SYMBOL_GPL(shmem_zero_setup); - - /** - * shmem_read_folio_gfp - read into page cache, using specified page allocation flags. -diff --git a/security/security.c b/security/security.c -index 23b129d482a7c..eeb7162a02674 100644 ---- a/security/security.c -+++ b/security/security.c -@@ -799,6 +799,7 @@ int security_binder_set_context_mgr(const struct cred *mgr) - { - return call_int_hook(binder_set_context_mgr, 0, mgr); - } -+EXPORT_SYMBOL_GPL(security_binder_set_context_mgr); - - /** - * security_binder_transaction() - Check if a binder transaction is allowed -@@ -814,6 +815,7 @@ int security_binder_transaction(const struct cred *from, - { - return call_int_hook(binder_transaction, 0, from, to); - } -+EXPORT_SYMBOL_GPL(security_binder_transaction); - - /** - * security_binder_transfer_binder() - Check if a binder transfer is allowed -@@ -829,6 +831,7 @@ int security_binder_transfer_binder(const struct cred *from, - { - return call_int_hook(binder_transfer_binder, 0, from, to); - } -+EXPORT_SYMBOL_GPL(security_binder_transfer_binder); - - /** - * security_binder_transfer_file() - Check if a binder file xfer is allowed -@@ -845,6 +848,7 @@ int security_binder_transfer_file(const struct cred *from, - { - return call_int_hook(binder_transfer_file, 0, from, to, file); - } -+EXPORT_SYMBOL_GPL(security_binder_transfer_file); - - /** - * security_ptrace_access_check() - Check if tracing is allowed --- -2.42.1 - diff --git a/pkg/debian/kernel/0002-android-Enable-building-ashmem-and-binder-as-modules.patch b/pkg/debian/kernel/0002-android-Enable-building-ashmem-and-binder-as-modules.patch deleted file mode 100644 index 8b0c70289..000000000 --- a/pkg/debian/kernel/0002-android-Enable-building-ashmem-and-binder-as-modules.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 2802d75f2b216a35c6a976c0064fcc0e20d82e4b Mon Sep 17 00:00:00 2001 -From: Ben Hutchings -Date: Fri, 22 Jun 2018 17:27:00 +0100 -Subject: [PATCH 2/2] android: Enable building ashmem and binder as modules - -We want to enable use of the Android ashmem and binder drivers to -support Anbox, but they should not be built-in as that would waste -resources and increase security attack surface on systems that don't -need them. - -- Add a MODULE_LICENSE declaration to ashmem -- Change the Makefiles to build each driver as an object with the - "_linux" suffix (which is what Anbox expects) -- Change config symbol types to tristate - -Update: -In upstream commit 721412ed3d titled "staging: remove ashmem" the ashmem -driver was removed entirely. Secondary commit message: -"The mainline replacement for ashmem is memfd, so remove the legacy -code from drivers/staging/" -Consequently, the ashmem part of this patch has been removed. ---- - drivers/android/Kconfig | 2 +- - drivers/android/Makefile | 7 ++++--- - drivers/android/binder_alloc.c | 2 +- - 3 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/drivers/android/Kconfig b/drivers/android/Kconfig -index 07aa8ae0a058c..94a3a86f9bd4f 100644 ---- a/drivers/android/Kconfig -+++ b/drivers/android/Kconfig -@@ -2,7 +2,7 @@ - menu "Android" - - config ANDROID_BINDER_IPC -- bool "Android Binder IPC Driver" -+ tristate "Android Binder IPC Driver" - depends on MMU - default n - help -diff --git a/drivers/android/Makefile b/drivers/android/Makefile -index c9d3d0c99c257..55411d9a9c2a1 100644 ---- a/drivers/android/Makefile -+++ b/drivers/android/Makefile -@@ -1,6 +1,7 @@ - # SPDX-License-Identifier: GPL-2.0-only - ccflags-y += -I$(src) # needed for trace events - --obj-$(CONFIG_ANDROID_BINDERFS) += binderfs.o --obj-$(CONFIG_ANDROID_BINDER_IPC) += binder.o binder_alloc.o --obj-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o -+obj-$(CONFIG_ANDROID_BINDER_IPC) += binder_linux.o -+binder_linux-y := binder.o binder_alloc.o -+binder_linux-$(CONFIG_ANDROID_BINDERFS) += binderfs.o -+binder_linux-$(CONFIG_ANDROID_BINDER_IPC_SELFTEST) += binder_alloc_selftest.o -diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c -index e3db8297095a2..eef695eff0025 100644 ---- a/drivers/android/binder_alloc.c -+++ b/drivers/android/binder_alloc.c -@@ -38,7 +38,7 @@ enum { - }; - static uint32_t binder_alloc_debug_mask = BINDER_DEBUG_USER_ERROR; - --module_param_named(debug_mask, binder_alloc_debug_mask, -+module_param_named(alloc_debug_mask, binder_alloc_debug_mask, - uint, 0644); - - #define binder_alloc_debug(mask, x...) \ --- -2.42.1 - diff --git a/pkg/debian/kernel/ubuntu.config b/pkg/debian/kernel/ubuntu.config index 8bb01bafd..a8577bec0 100644 --- a/pkg/debian/kernel/ubuntu.config +++ b/pkg/debian/kernel/ubuntu.config @@ -40,14 +40,15 @@ CONFIG_SYSTEM_TRUSTED_KEYS="" CONFIG_SYSTEM_REVOCATION_KEYS="" ## -## Additional options from upstream (not in PPA) +## Modules required for running Android apps +## +## Ubuntu builds binder as a module by patching the Makefile. To keep it +## simple, we just put it into vmlinux. One patch less to keep track of. ## -CONFIG_ASHMEM=m -CONFIG_ANDROID=y -CONFIG_ANDROID_BINDER_IPC=m -# CONFIG_ANDROID_BINDERFS is not set -CONFIG_ANDROID_BINDER_DEVICES="binder" +CONFIG_ANDROID_BINDER_IPC=y +CONFIG_ANDROID_BINDERFS=y +CONFIG_ANDROID_BINDER_DEVICES="" # CONFIG_ANDROID_BINDER_IPC_SELFTEST is not set ##