pkg/debian: Update Debian-specific patches

pkg/debian/kernel/0001-Add-secureboot-pre-signing-to-the-kernel.patch

@@ -1,4 +1,4 @@
-From e4eb5bb44e5ac84958c641f62fcfec5114d03073 Mon Sep 17 00:00:00 2001
+From c9d3ed004787ac580252b06af2642e5bb5aaf265 Mon Sep 17 00:00:00 2001
 From: Dorian Stoll <dorian.stoll@tmsp.io>
 Date: Sun, 22 Sep 2019 22:44:16 +0200
 Subject: [PATCH] Add secureboot pre-signing to the kernel
@@ -21,10 +21,10 @@ Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
  create mode 100755 scripts/sign_kernel.sh
 
 diff --git a/.gitignore b/.gitignore
-index c59dc60ba62e..d60f75150ebf 100644
+index f2f63e47fb88..99638429fcbb 100644
 --- a/.gitignore
 +++ b/.gitignore
-@@ -149,6 +149,9 @@ signing_key.priv
+@@ -159,6 +159,9 @@ signing_key.priv
  signing_key.x509
  x509.genkey
  
@@ -35,10 +35,10 @@ index c59dc60ba62e..d60f75150ebf 100644
  /all.config
  /alldef.config
 diff --git a/arch/x86/Makefile b/arch/x86/Makefile
-index 801fd85c3ef6..1b1a72179a74 100644
+index 594723005d95..a5c8c487e83d 100644
 --- a/arch/x86/Makefile
 +++ b/arch/x86/Makefile
-@@ -302,6 +302,7 @@ endif
+@@ -314,6 +314,7 @@ endif
  	$(Q)$(MAKE) $(build)=$(boot) $(KBUILD_IMAGE)
  	$(Q)mkdir -p $(objtree)/arch/$(UTS_MACHINE)/boot
  	$(Q)ln -fsn ../../x86/boot/bzImage $(objtree)/arch/$(UTS_MACHINE)/boot/$@
@@ -83,5 +83,5 @@ index 000000000000..d2526a279254
 +sbsign --key $BUILDDIR/keys/MOK.key --cert $BUILDDIR/keys/MOK.crt \
 +    --output $VMLINUX $VMLINUX
 -- 
-2.45.2
+2.50.0
 

pkg/debian/kernel/0001-Partially-revert-integrity-Only-use-machine-keyring-.patch

@@ -1,4 +1,4 @@
-From 1fb0cb1a5de985b6b8728f6a39660fcd5df29977 Mon Sep 17 00:00:00 2001
+From 020939dbfdd44d08f1da5d9d980ce27176514009 Mon Sep 17 00:00:00 2001
 From: Maximilian Luz <luzmaximilian@gmail.com>
 Date: Mon, 20 Nov 2023 22:54:05 +0100
 Subject: [PATCH] Partially revert "integrity: Only use machine keyring when
@@ -37,5 +37,5 @@ index a401640a63cd..a1ad244cbf86 100644
  
  static bool __init trust_moklist(void)
 -- 
-2.49.0
+2.50.0
 

pkg/debian/kernel/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch

@@ -1,4 +1,4 @@
-From d70cb56d43efddd10d4263f2af24f52fb81137b9 Mon Sep 17 00:00:00 2001
+From f675a2222ecd97c5b85bf05901e3220ee90c30ba Mon Sep 17 00:00:00 2001
 From: Serge Hallyn <serge.hallyn@canonical.com>
 Date: Fri, 31 May 2013 19:12:12 +0100
 Subject: [PATCH] add sysctl to disallow unprivileged CLONE_NEWUSER by default
@@ -20,7 +20,7 @@ Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
  3 files changed, 32 insertions(+)
 
 diff --git a/kernel/fork.c b/kernel/fork.c
-index ca2ca3884f76..d9591a8a6ead 100644
+index 168681fc4b25..74abab2c65c1 100644
 --- a/kernel/fork.c
 +++ b/kernel/fork.c
 @@ -119,6 +119,12 @@
@@ -36,7 +36,7 @@ index ca2ca3884f76..d9591a8a6ead 100644
  /*
   * Minimum number of threads to boot the kernel
   */
-@@ -2171,6 +2177,10 @@ __latent_entropy struct task_struct *copy_process(
+@@ -2194,6 +2200,10 @@ __latent_entropy struct task_struct *copy_process(
  	if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
  		return ERR_PTR(-EINVAL);
  
@@ -47,7 +47,7 @@ index ca2ca3884f76..d9591a8a6ead 100644
  	/*
  	 * Thread groups must share signals as well, and detached threads
  	 * can only be started up within the thread group.
-@@ -3324,6 +3334,12 @@ int ksys_unshare(unsigned long unshare_flags)
+@@ -3354,6 +3364,12 @@ int ksys_unshare(unsigned long unshare_flags)
  	if (unshare_flags & CLONE_NEWNS)
  		unshare_flags |= CLONE_FS;
  
@@ -61,21 +61,21 @@ index ca2ca3884f76..d9591a8a6ead 100644
  	if (err)
  		goto bad_unshare_out;
 diff --git a/kernel/sysctl.c b/kernel/sysctl.c
-index cb57da499ebb..5e9ae0e6a727 100644
+index 3b7a7308e35b..cb4bab6a39bf 100644
 --- a/kernel/sysctl.c
 +++ b/kernel/sysctl.c
-@@ -135,6 +135,10 @@ static enum sysctl_writes_mode sysctl_writes_strict = SYSCTL_WRITES_STRICT;
- int sysctl_legacy_va_layout;
- #endif
+@@ -84,6 +84,10 @@ EXPORT_SYMBOL_GPL(sysctl_long_vals);
+ static const int ngroups_max = NGROUPS_MAX;
+ static const int cap_last_cap = CAP_LAST_CAP;
  
 +#ifdef CONFIG_USER_NS
 +extern int unprivileged_userns_clone;
 +#endif
 +
- #endif /* CONFIG_SYSCTL */
+ #ifdef CONFIG_PROC_SYSCTL
  
- /*
-@@ -1617,6 +1621,15 @@ static const struct ctl_table kern_table[] = {
+ /**
+@@ -1595,6 +1599,15 @@ static const struct ctl_table kern_table[] = {
  		.mode		= 0644,
  		.proc_handler	= proc_dointvec,
  	},
@@ -92,7 +92,7 @@ index cb57da499ebb..5e9ae0e6a727 100644
  	{
  		.procname	= "tainted",
 diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
-index aa0b2e47f2f2..222bb2b40b73 100644
+index 682f40d5632d..bf265ad528f9 100644
 --- a/kernel/user_namespace.c
 +++ b/kernel/user_namespace.c
 @@ -22,6 +22,9 @@
@@ -106,5 +106,5 @@ index aa0b2e47f2f2..222bb2b40b73 100644
  static DEFINE_MUTEX(userns_state_mutex);
  
 -- 
-2.49.0
+2.50.0
 

pkg/debian/kernel/0001-kbuild-Copy-config-to-target-directory.patch

@@ -1,4 +1,4 @@
-From 95802baf706303292278c2ae4347f5c3aa9dcece Mon Sep 17 00:00:00 2001
+From b62686b48f37ac9a8807d3e26523226ff900c27c Mon Sep 17 00:00:00 2001
 From: Maximilian Luz <luzmaximilian@gmail.com>
 Date: Sun, 20 Apr 2025 03:02:20 +0200
 Subject: [PATCH] kbuild: Copy config to target directory
@@ -20,5 +20,5 @@ index b96538787f3d..718bd64d060e 100755
 +
  find "${destdir}" \( -name '.*.cmd' -o -name '*.o' \) -delete
 -- 
-2.49.0
+2.50.0
 

pkg/debian/kernel/0001-kbuild-Link-sign-file-statically.patch

@@ -1,4 +1,4 @@
-From b1c72eb34eabfd56cbe5a1b98b827aded4917125 Mon Sep 17 00:00:00 2001
+From d31ef20443261b91cc47efbcc749369f5df29c95 Mon Sep 17 00:00:00 2001
 From: Maximilian Luz <luzmaximilian@gmail.com>
 Date: Sun, 30 Jun 2024 17:10:28 +0200
 Subject: [PATCH] kbuild: Link sign-file statically
@@ -21,5 +21,5 @@ index 46f860529df5..7846e18ef5d8 100644
  ifdef CONFIG_UNWINDER_ORC
  ifeq ($(ARCH),x86_64)
 -- 
-2.49.0
+2.50.0