Patch kernel: backport af_unix UAF fix in unix_stream_data_wait() (torvalds/linux@be309f8eae8b)

.CodeQL.yml

@@ -0,0 +1,29 @@
+path_classifiers:
+  library:
+    # Treat source files for all compiled languages in the specs directories
+    # as 3rd party library sources because they are not owned by us.
+    #
+    # Extensions from https://codeql.github.com/docs/codeql-overview/supported-languages-and-frameworks/.
+    - "SPECS*/**/*.c"
+    - "SPECS*/**/*.c++"
+    - "SPECS*/**/*.cc"
+    - "SPECS*/**/*.cpp"
+    - "SPECS*/**/*.cs"
+    - "SPECS*/**/*.cshtml"
+    - "SPECS*/**/*.csproj"
+    - "SPECS*/**/*.cts"
+    - "SPECS*/**/*.cxx"
+    - "SPECS*/**/*.go"
+    - "SPECS*/**/*.h"
+    - "SPECS*/**/*.h++"
+    - "SPECS*/**/*.hh"
+    - "SPECS*/**/*.hpp"
+    - "SPECS*/**/*.hxx"
+    - "SPECS*/**/*.java"
+    - "SPECS*/**/*.kt"
+    - "SPECS*/**/*.mts"
+    - "SPECS*/**/*.sln"
+    - "SPECS*/**/*.swift"
+    - "SPECS*/**/*.ts"
+    - "SPECS*/**/*.tsx"
+    - "SPECS*/**/*.xaml"

.config/CredScanSuppressions.json

@@ -24,6 +24,10 @@
         {
             "file": "\\toolkit\\imageconfigs\\read-only-root-efi.json",
             "_justification": "Secret for a sample, non-production Mariner image."
+        },
+        {
+            "file": "\\toolkit\\tools\\imagecustomizer\\docs\\configuration.md",
+            "_justification": "Secrets from documentation samples. No production secrets."
         }
     ]
 }

.github/CODEOWNERS

@@ -1,76 +1,2 @@
-# By default all files require a review by at lest one member of the CBL-Mariner developers team.
-* @microsoft/cbl-mariner-devs
-
-# Modification to this file require admin approval.
-/.github/CODEOWNERS @microsoft/cbl-mariner-admins
-
-# Modifications to the build pipelines require admin approval.
-/.pipelines/* @microsoft/cbl-mariner-admins
-
-# Modifications to the CredScan exceptions require admin approval.
-/.config/CredScanSuppressions.json @microsoft/cbl-mariner-admins
-
-# Modification to what is considered "core packages" require admin approval.
-/SPECS/core-packages/* @microsoft/cbl-mariner-admins
-
-# Modification to specific packages go to specific teams
-/SPECS/installkernel/* @microsoft/cbl-mariner-kernel
-/SPECS/kernel/* @microsoft/cbl-mariner-kernel
-/SPECS/kernel-azure/* @microsoft/cbl-mariner-kernel
-/SPECS/kernel-hci/* @microsoft/cbl-mariner-kernel
-/SPECS/kernel-headers/* @microsoft/cbl-mariner-kernel
-/SPECS/kernel-mshv/* @microsoft/cbl-mariner-kernel
-/SPECS/kernel-uvm/* @microsoft/cbl-mariner-kernel
-/SPECS-SIGNED/kernel-signed/* @microsoft/cbl-mariner-kernel
-/SPECS-SIGNED/kernel-hci-signed/* @microsoft/cbl-mariner-kernel
-/SPECS-SIGNED/kernel-azure-signed/* @microsoft/cbl-mariner-kernel
-/SPECS-SIGNED/kernel-mstflint-signed/* @microsoft/cbl-mariner-kernel
-
-/SPECS/grub2/* @microsoft/cbl-mariner-bootloader
-/SPECS/grubby/* @microsoft/cbl-mariner-bootloader
-/SPECS/shim/* @microsoft/cbl-mariner-bootloader
-/SPECS/shim-unsigned/* @microsoft/cbl-mariner-bootloader
-/SPECS/shim-unsigned-x64/* @microsoft/cbl-mariner-bootloader
-/SPECS/shim-unsigned-aarch64/* @microsoft/cbl-mariner-bootloader
-/SPECS-SIGNED/grub2-efi-binary-signed/* @microsoft/cbl-mariner-bootloader
-
-/SPECS/dracut/* @microsoft/cbl-mariner-dracut
-/SPECS/initramfs/* @microsoft/cbl-mariner-dracut
-/SPECS/verity-read-only-root/* @microsoft/cbl-mariner-dracut
-
-/SPECS/systemd/* @microsoft/cbl-mariner-systemd
-
-/SPECS/bcc/* @microsoft/cbl-mariner-debug-tools
-/SPECS/bpftrace/* @microsoft/cbl-mariner-debug-tools
-/SPECS/crash/* @microsoft/cbl-mariner-debug-tools
-/SPECS/gdb/* @microsoft/cbl-mariner-debug-tools
-/SPECS/kexec-tools/* @microsoft/cbl-mariner-debug-tools
-
-/SPECS/openssl/* @microsoft/cbl-mariner-openssl
-/SPECS/SymCrypt-OpenSSL/* @microsoft/cbl-mariner-openssl
-/SPECS/SymCrypt/* @microsoft/cbl-mariner-openssl
-/SPECS/KeysInUse-OpenSSL/* @microsoft/cbl-mariner-openssl
-
-/SPECS/dnf/* @microsoft/cbl-mariner-package-managers
-/SPECS/dnf-plugins-core/* @microsoft/cbl-mariner-package-managers
-/SPECS/rpm/* @microsoft/cbl-mariner-package-managers
-/SPECS/tdnf/* @microsoft/cbl-mariner-package-managers
-
-/SPECS/moby-buildx/* @microsoft/cbl-mariner-container-runtime
-/SPECS/moby-cli/* @microsoft/cbl-mariner-container-runtime
-/SPECS/moby-containerd/* @microsoft/cbl-mariner-container-runtime
-/SPECS/moby-containerd-cc/* @microsoft/cbl-mariner-container-runtime
-/SPECS/moby-engine/* @microsoft/cbl-mariner-container-runtime
-/SPECS/moby-runc/* @microsoft/cbl-mariner-container-runtime
-/SPECS/kata-containers/* @microsoft/cbl-mariner-container-runtime
-/SPECS/kata-containers-cc/* @microsoft/cbl-mariner-container-runtime
-
-/SPECS/cloud-hypervisor/* @microsoft/cbl-mariner-virtualization
-
-/SPECS/cloud-init/* @microsoft/cbl-mariner-provisioning
-/SPECS/walinuxagent/* @microsoft/cbl-mariner-provisioning
-
-# Modifications to the raw toolchain require admin approval.
-/toolkit/scripts/toolchain/container/* @microsoft/cbl-mariner-admins
-/toolkit/scripts/toolchain/cgmanifest.json @microsoft/cbl-mariner-admins
-/toolkit/scripts/toolchain/create_toolchain_in_container.sh @microsoft/cbl-mariner-admins
+# For stable release branches, ensure stable release maintainers are added as code reviewers
+* @microsoft/cbl-mariner-stable-maintainers

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,24 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots or log outputs to help explain your problem.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: feature-request
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/questions-feedback.md

@@ -0,0 +1,14 @@
+---
+name: Questions/Feedback
+about: Ask general questions or provide feedback other than a bug or feature
+title: ''
+labels: question
+assignees: ''
+
+---
+
+**Ask your question or provide your feedback**
+A clear and concise description of what the question/feedback is.
+
+**Screenshots**
+If applicable, add screenshots or log outputs to help explain your question/feedback.

.github/pull_request_template.md

@@ -17,6 +17,7 @@ Feel free to delete sections of the template which do not apply to your PR, or a
 - [ ] All source files have up-to-date hashes in the `*.signatures.json` files
 - [ ] `sudo make go-tidy-all` and `sudo make go-test-coverage` pass
 - [ ] Documentation has been updated to match any changes to the build system
+- [ ] If you are adding/removing a .spec file that has multiple-versions supported, please add [@microsoft/cbl-mariner-multi-package-reviewers](https://github.com/orgs/microsoft/teams/cbl-mariner-multi-package-reviewers) team as reviewer [(Eg. golang has 2 versions 1.18, 1.21+)](https://github.com/microsoft/azurelinux/tree/2.0/SPECS/golang)
 - [ ] Ready to merge
 
 ---

.github/workflows/check-clean-stage.yml

@@ -9,6 +9,8 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
+permissions: read-all
+
 jobs:
   spec-clean-stage-check:
     name: Spec %clean stage check

.github/workflows/check-entangled-specs.yml

@@ -12,6 +12,8 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
+permissions: read-all
+
 jobs:
   check:
     name: Spec Entanglement Mismatch Check
@@ -23,10 +25,10 @@ jobs:
         uses: actions/checkout@v4
 
       # For consistency, we use the same major/minor version of Python that CBL-Mariner ships
-      - name: Setup Python 3.7
+      - name: Setup Python 3.9
         uses: actions/setup-python@v4
         with:
-          python-version: 3.7
+          python-version: 3.9
 
       - name: Get Python dependencies
         run: python3 -m pip install -r toolkit/scripts/requirements.txt

.github/workflows/check-license-map.yml

@@ -11,6 +11,8 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
+permissions: read-all
+
 jobs:
   check:
     name: Spec License Map Check

.github/workflows/check-livepatches.yml

@@ -9,6 +9,8 @@ on:
   pull_request:
     branches: [2.0, fasttrack/*]
 
+permissions: read-all
+
 jobs:
   spec-check:
     name: Livepatches check
@@ -51,7 +53,7 @@ jobs:
           #################### CHECK FAILURE ####################
           Livepatch specs need to be updated!
           Run the following command to perform the update:
-          
+
               toolkit/scripts/livepatching/update_livepatches.sh
 
           #################### CHECK FAILURE ####################

.github/workflows/check-manifests.yml

@@ -9,6 +9,8 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
+permissions: read-all
+
 jobs:
   build:
     name: Check Manifests

.github/workflows/check-package-cgmanifest.yml

@@ -9,6 +9,8 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
+permissions: read-all
+
 jobs:
 
   build: