autu: Update to 3.16.82-1

4 files changed, 590 insertions, 17 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 365161eb98e1..51b2d34c0e6a 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,5 +1,5 @@
 pkgbase = linux-lts316
-	pkgver = 3.16.81
+	pkgver = 3.16.82
 	pkgrel = 1
 	url = https://www.kernel.org/
 	arch = i686
@@ -12,34 +12,37 @@ pkgbase = linux-lts316
 	makedepends = bc
 	options = !strip
 	source = https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.16.tar.xz
-	source = https://www.kernel.org/pub/linux/kernel/v3.x/patch-3.16.81.xz
+	source = https://www.kernel.org/pub/linux/kernel/v3.x/patch-3.16.82.xz
 	source = config
 	source = config.x86_64
 	source = 99-linux.hook
 	source = linux.preset
 	source = change-default-console-loglevel.patch
-	source = 0000-unknown-rela-relocation-4-binutils.2.31.kernel.3.16.patch
 	source = 0001-binutils.2.31.max-page-size.patch
+	source = 0002-binutils.2.34.sysexit.patch
+	source = 0003-systemd.245.kernel.316.ambient.capabilities.patch
 	source = update.sh
 	md5sums = 5c569ed649a0c9711879f333e90c5386
-	md5sums = 40d08732754c661356ca5a8e86005a58
+	md5sums = 8da6a4c655cecd0f2657436334a60d9c
 	md5sums = 5c85a1cef25029a8eb87d0edeec0cb04
 	md5sums = f45197ec50bb5f7a85991f6e99ad49c6
 	md5sums = 90cd68710e3064d9b65f5549570f7821
 	md5sums = eb14dcfd80c00852ef81ded6e826826a
 	md5sums = df7fceae6ee5d7e7be7b60ecd7f6bb35
-	md5sums = faaee4c0db3a87bb45aa4e964727f308
 	md5sums = 07dc499a909a3bb63fc3fdc0d0652e64
+	md5sums = 43d62abf4cd27fa1863759ac87b62ac5
+	md5sums = 4f2248545c0a3997a1d301195b7dcfe7
 	md5sums = e6a1be64b190d846648d671c012d6dd3
 	sha256sums = 4813ad7927a7d92e5339a873ab16201b242b2748934f12cb5df9ba2cfe1d77a0
-	sha256sums = 9eee44021dc9e229c2d1b1601cec0d6e623e00147fd27b0fd0cf624fcdcee24d
+	sha256sums = 82bd3706afe2beff9ff9a00fae0dd7f92e6f8f300ba0bbe8cc778c2bced20a11
 	sha256sums = 3bce3e9adce8ae3f826eebab75e9784ca92a914e526ae352de61c1da93aab8d3
 	sha256sums = 328539797005cb43362b75ca9965791a1ed34525101c286e4fb49694faa40e4c
 	sha256sums = 834bd254b56ab71d73f59b3221f056c72f559553c04718e350ab2a3e2991afe0
 	sha256sums = f0d90e756f14533ee67afda280500511a62465b4f76adcc5effa95a40045179c
 	sha256sums = 1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99
-	sha256sums = b0f101562baca5f8aed72ba90638763ef2be8f4618c111a50334970dd03dfb4b
 	sha256sums = f71e0de924013fe60c3cbed45f322e6a09942db978daeddd18adb8582373b5ed
+	sha256sums = 2c80046fa78bfa6e26ae6d8ac312142d9d67b394914fee423578583fe7ab15db
+	sha256sums = abbb27b46cf00bf6d4859c4d8dfcf1d6f32e385d3dbf04790abda8b4dae6540a
 	sha256sums = 4dad3093e0c2bd7dafd30a0344b4df6432c3a7d1422edc4e0d1e6201aa513648
 
 pkgname = linux-lts316
@@ -50,12 +53,12 @@ pkgname = linux-lts316
 	depends = kmod
 	depends = mkinitcpio>=0.7
 	optdepends = crda: to set the correct wireless channels of your country
-	provides = linux=3.16.81
+	provides = linux=3.16.82
 	backup = etc/mkinitcpio.d/linux-lts316.preset
 
 pkgname = linux-lts316-headers
 	pkgdesc = Header files and scripts for building modules for Linux-lts316 kernel
-	provides = linux-headers=3.16.81
+	provides = linux-headers=3.16.82
 
 pkgname = linux-lts316-docs
 	pkgdesc = Kernel hackers manual - HTML documentation that comes with the Linux-lts316 kernel
diff --git a/0002-binutils.2.34.sysexit.patch b/0002-binutils.2.34.sysexit.patch
new file mode 100644
index 000000000000..dcaf62b1520d
--- /dev/null
+++ b/0002-binutils.2.34.sysexit.patch
@@ -0,0 +1,18 @@
+diff -up linux-4.4/arch/x86/Makefile.orig linux-4.4/arch/x86/Makefile
+--- linux-4.4/arch/x86/Makefile.orig	2020-03-19 03:08:53.569999999 -0600
++++ linux-4.4/arch/x86/Makefile	2020-03-19 03:38:57.889999999 -0600
+@@ -218,6 +218,14 @@ KBUILD_CFLAGS += -fno-asynchronous-unwin
+ KBUILD_CFLAGS += $(mflags-y)
+ KBUILD_AFLAGS += $(mflags-y)
+ 
++#
++# Binutils 2.34 cannot handle sysexit, this corrects for now.
++#
++ifdef CONFIG_X86_64
++KBUILD_AFLAGS += -Wa,-mintel64
++KBUILD_CFLAGS += -Wa,-mintel64
++endif
++
+ # Avoid indirect branches in kernel to deal with Spectre
+ ifdef CONFIG_RETPOLINE
+     RETPOLINE_CFLAGS += $(call cc-option,-mindirect-branch=thunk-extern -mindirect-branch-register)
diff --git a/0003-systemd.245.kernel.316.ambient.capabilities.patch b/0003-systemd.245.kernel.316.ambient.capabilities.patch
new file mode 100644
index 000000000000..ca81cf96c7a2
--- /dev/null
+++ b/0003-systemd.245.kernel.316.ambient.capabilities.patch
@@ -0,0 +1,541 @@
+From 2ddfe869e9964afe1175919557e6b4f18b78941a Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Fri, 4 Sep 2015 15:42:45 -0700
+Subject: [PATCH] UPSTREAM: capabilities: ambient capabilities
+
+Credit where credit is due: this idea comes from Christoph Lameter with
+a lot of valuable input from Serge Hallyn.  This patch is heavily based
+on Christoph's patch.
+
+===== The status quo =====
+
+On Linux, there are a number of capabilities defined by the kernel.  To
+perform various privileged tasks, processes can wield capabilities that
+they hold.
+
+Each task has four capability masks: effective (pE), permitted (pP),
+inheritable (pI), and a bounding set (X).  When the kernel checks for a
+capability, it checks pE.  The other capability masks serve to modify
+what capabilities can be in pE.
+
+Any task can remove capabilities from pE, pP, or pI at any time.  If a
+task has a capability in pP, it can add that capability to pE and/or pI.
+If a task has CAP_SETPCAP, then it can add any capability to pI, and it
+can remove capabilities from X.
+
+Tasks are not the only things that can have capabilities; files can also
+have capabilities.  A file can have no capabilty information at all [1].
+If a file has capability information, then it has a permitted mask (fP)
+and an inheritable mask (fI) as well as a single effective bit (fE) [2].
+File capabilities modify the capabilities of tasks that execve(2) them.
+
+A task that successfully calls execve has its capabilities modified for
+the file ultimately being excecuted (i.e.  the binary itself if that
+binary is ELF or for the interpreter if the binary is a script.) [3] In
+the capability evolution rules, for each mask Z, pZ represents the old
+value and pZ' represents the new value.  The rules are:
+
+  pP' = (X & fP) | (pI & fI)
+  pI' = pI
+  pE' = (fE ? pP' : 0)
+  X is unchanged
+
+For setuid binaries, fP, fI, and fE are modified by a moderately
+complicated set of rules that emulate POSIX behavior.  Similarly, if
+euid == 0 or ruid == 0, then fP, fI, and fE are modified differently
+(primary, fP and fI usually end up being the full set).  For nonroot
+users executing binaries with neither setuid nor file caps, fI and fP
+are empty and fE is false.
+
+As an extra complication, if you execute a process as nonroot and fE is
+set, then the "secure exec" rules are in effect: AT_SECURE gets set,
+LD_PRELOAD doesn't work, etc.
+
+This is rather messy.  We've learned that making any changes is
+dangerous, though: if a new kernel version allows an unprivileged
+program to change its security state in a way that persists cross
+execution of a setuid program or a program with file caps, this
+persistent state is surprisingly likely to allow setuid or file-capped
+programs to be exploited for privilege escalation.
+
+===== The problem =====
+
+Capability inheritance is basically useless.
+
+If you aren't root and you execute an ordinary binary, fI is zero, so
+your capabilities have no effect whatsoever on pP'.  This means that you
+can't usefully execute a helper process or a shell command with elevated
+capabilities if you aren't root.
+
+On current kernels, you can sort of work around this by setting fI to
+the full set for most or all non-setuid executable files.  This causes
+pP' = pI for nonroot, and inheritance works.  No one does this because
+it's a PITA and it isn't even supported on most filesystems.
+
+If you try this, you'll discover that every nonroot program ends up with
+secure exec rules, breaking many things.
+
+This is a problem that has bitten many people who have tried to use
+capabilities for anything useful.
+
+===== The proposed change =====
+
+This patch adds a fifth capability mask called the ambient mask (pA).
+pA does what most people expect pI to do.
+
+pA obeys the invariant that no bit can ever be set in pA if it is not
+set in both pP and pI.  Dropping a bit from pP or pI drops that bit from
+pA.  This ensures that existing programs that try to drop capabilities
+still do so, with a complication.  Because capability inheritance is so
+broken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and
+then calling execve effectively drops capabilities.  Therefore,
+setresuid from root to nonroot conditionally clears pA unless
+SECBIT_NO_SETUID_FIXUP is set.  Processes that don't like this can
+re-add bits to pA afterwards.
+
+The capability evolution rules are changed:
+
+  pA' = (file caps or setuid or setgid ? 0 : pA)
+  pP' = (X & fP) | (pI & fI) | pA'
+  pI' = pI
+  pE' = (fE ? pP' : pA')
+  X is unchanged
+
+If you are nonroot but you have a capability, you can add it to pA.  If
+you do so, your children get that capability in pA, pP, and pE.  For
+example, you can set pA = CAP_NET_BIND_SERVICE, and your children can
+automatically bind low-numbered ports.  Hallelujah!
+
+Unprivileged users can create user namespaces, map themselves to a
+nonzero uid, and create both privileged (relative to their namespace)
+and unprivileged process trees.  This is currently more or less
+impossible.  Hallelujah!
+
+You cannot use pA to try to subvert a setuid, setgid, or file-capped
+program: if you execute any such program, pA gets cleared and the
+resulting evolution rules are unchanged by this patch.
+
+Users with nonzero pA are unlikely to unintentionally leak that
+capability.  If they run programs that try to drop privileges, dropping
+privileges will still work.
+
+It's worth noting that the degree of paranoia in this patch could
+possibly be reduced without causing serious problems.  Specifically, if
+we allowed pA to persist across executing non-pA-aware setuid binaries
+and across setresuid, then, naively, the only capabilities that could
+leak as a result would be the capabilities in pA, and any attacker
+*already* has those capabilities.  This would make me nervous, though --
+setuid binaries that tried to privilege-separate might fail to do so,
+and putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have
+unexpected side effects.  (Whether these unexpected side effects would
+be exploitable is an open question.) I've therefore taken the more
+paranoid route.  We can revisit this later.
+
+An alternative would be to require PR_SET_NO_NEW_PRIVS before setting
+ambient capabilities.  I think that this would be annoying and would
+make granting otherwise unprivileged users minor ambient capabilities
+(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than
+it is with this patch.
+
+===== Footnotes =====
+
+[1] Files that are missing the "security.capability" xattr or that have
+unrecognized values for that xattr end up with has_cap set to false.
+The code that does that appears to be complicated for no good reason.
+
+[2] The libcap capability mask parsers and formatters are dangerously
+misleading and the documentation is flat-out wrong.  fE is *not* a mask;
+it's a single bit.  This has probably confused every single person who
+has tried to use file capabilities.
+
+[3] Linux very confusingly processes both the script and the interpreter
+if applicable, for reasons that elude me.  The results from thinking
+about a script's file capabilities and/or setuid bits are mostly
+discarded.
+
+Preliminary userspace code is here, but it needs updating:
+https://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h=cap_ambient&id=7f5afbd175d2
+
+Here is a test program that can be used to verify the functionality
+(from Christoph):
+
+/*
+ * Test program for the ambient capabilities. This program spawns a shell
+ * that allows running processes with a defined set of capabilities.
+ *
+ * (C) 2015 Christoph Lameter <cl@linux.com>
+ * Released under: GPL v3 or later.
+ *
+ *
+ * Compile using:
+ *
+ *	gcc -o ambient_test ambient_test.o -lcap-ng
+ *
+ * This program must have the following capabilities to run properly:
+ * Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE
+ *
+ * A command to equip the binary with the right caps is:
+ *
+ *	setcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test
+ *
+ *
+ * To get a shell with additional caps that can be inherited by other processes:
+ *
+ *	./ambient_test /bin/bash
+ *
+ *
+ * Verifying that it works:
+ *
+ * From the bash spawed by ambient_test run
+ *
+ *	cat /proc/$$/status
+ *
+ * and have a look at the capabilities.
+ */
+
+/*
+ * Definitions from the kernel header files. These are going to be removed
+ * when the /usr/include files have these defined.
+ */
+
+static void set_ambient_cap(int cap)
+{
+	int rc;
+
+	capng_get_caps_process();
+	rc = capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);
+	if (rc) {
+		printf("Cannot add inheritable cap\n");
+		exit(2);
+	}
+	capng_apply(CAPNG_SELECT_CAPS);
+
+	/* Note the two 0s at the end. Kernel checks for these */
+	if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {
+		perror("Cannot set cap");
+		exit(1);
+	}
+}
+
+int main(int argc, char **argv)
+{
+	int rc;
+
+	set_ambient_cap(CAP_NET_RAW);
+	set_ambient_cap(CAP_NET_ADMIN);
+	set_ambient_cap(CAP_SYS_NICE);
+
+	printf("Ambient_test forking shell\n");
+	if (execv(argv[1], argv + 1))
+		perror("Cannot exec");
+
+	return 0;
+}
+
+Signed-off-by: Christoph Lameter <cl@linux.com> # Original author
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Aaron Jones <aaronmdjones@gmail.com>
+Cc: Ted Ts'o <tytso@mit.edu>
+Cc: Andrew G. Morgan <morgan@kernel.org>
+Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Cc: Austin S Hemmelgarn <ahferroin7@gmail.com>
+Cc: Markku Savela <msa@moth.iki.fi>
+Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
+Cc: Michael Kerrisk <mtk.manpages@gmail.com>
+Cc: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+(cherry picked from commit 58319057b7847667f0c9585b9de0e8932b0fdb08)
+
+Bug: 31038224
+Change-Id: I88bc5caa782dc6be23dc7e839ff8e11b9a903f8c
+Signed-off-by: Jorge Lucangeli Obes <jorgelo@google.com>
+---
+ fs/proc/array.c              |   5 +-
+ include/linux/cred.h         |   8 +++
+ include/uapi/linux/prctl.h   |   7 +++
+ kernel/user_namespace.c      |   1 +
+ security/commoncap.c         | 102 +++++++++++++++++++++++++++++++----
+ security/keys/process_keys.c |   1 +
+ 6 files changed, 113 insertions(+), 11 deletions(-)
+
+diff --git a/fs/proc/array.c b/fs/proc/array.c
+index 44a6da1a9d499..c260202549a4b 100644
+--- a/fs/proc/array.c
++++ b/fs/proc/array.c
+@@ -306,7 +306,8 @@ static void render_cap_t(struct seq_file *m, const char *header,
+ static inline void task_cap(struct seq_file *m, struct task_struct *p)
+ {
+ 	const struct cred *cred;
+-	kernel_cap_t cap_inheritable, cap_permitted, cap_effective, cap_bset;
++	kernel_cap_t cap_inheritable, cap_permitted, cap_effective,
++			cap_bset, cap_ambient;
+ 
+ 	rcu_read_lock();
+ 	cred = __task_cred(p);
+@@ -314,12 +315,14 @@ static inline void task_cap(struct seq_file *m, struct task_struct *p)
+ 	cap_permitted	= cred->cap_permitted;
+ 	cap_effective	= cred->cap_effective;
+ 	cap_bset	= cred->cap_bset;
++	cap_ambient	= cred->cap_ambient;
+ 	rcu_read_unlock();
+ 
+ 	render_cap_t(m, "CapInh:\t", &cap_inheritable);
+ 	render_cap_t(m, "CapPrm:\t", &cap_permitted);
+ 	render_cap_t(m, "CapEff:\t", &cap_effective);
+ 	render_cap_t(m, "CapBnd:\t", &cap_bset);
++	render_cap_t(m, "CapAmb:\t", &cap_ambient);
+ }
+ 
+ static inline void task_seccomp(struct seq_file *m, struct task_struct *p)
+diff --git a/include/linux/cred.h b/include/linux/cred.h
+index e8b8574f57dc2..9bdb6a13c3379 100644
+--- a/include/linux/cred.h
++++ b/include/linux/cred.h
+@@ -123,6 +123,7 @@ struct cred {
+ 	kernel_cap_t	cap_permitted;	/* caps we're permitted */
+ 	kernel_cap_t	cap_effective;	/* caps we can actually use */
+ 	kernel_cap_t	cap_bset;	/* capability bounding set */
++	kernel_cap_t	cap_ambient;	/* Ambient capability set */
+ #ifdef CONFIG_KEYS
+ 	unsigned char	jit_keyring;	/* default keyring to attach requested
+ 					 * keys to */
+@@ -198,6 +199,13 @@ static inline void validate_process_creds(void)
+ }
+ #endif
+ 
++static inline bool cap_ambient_invariant_ok(const struct cred *cred)
++{
++	return cap_issubset(cred->cap_ambient,
++			    cap_intersect(cred->cap_permitted,
++					  cred->cap_inheritable));
++}
++
+ /**
+  * get_new_cred - Get a reference on a new set of credentials
+  * @cred: The new credentials to reference
+diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
+index b873affd5f6e0..69e25ad49bbf0 100644
+--- a/include/uapi/linux/prctl.h
++++ b/include/uapi/linux/prctl.h
+@@ -165,4 +165,11 @@
+ # define PR_SPEC_DISABLE		(1UL << 2)
+ # define PR_SPEC_FORCE_DISABLE		(1UL << 3)
+ 
++/* Control the ambient capability set */
++#define PR_CAP_AMBIENT			47
++# define PR_CAP_AMBIENT_IS_SET		1
++# define PR_CAP_AMBIENT_RAISE		2
++# define PR_CAP_AMBIENT_LOWER		3
++# define PR_CAP_AMBIENT_CLEAR_ALL	4
++
+ #endif /* _LINUX_PRCTL_H */
+diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
+index 0d48e986cb360..fe5e2362c96bf 100644
+--- a/kernel/user_namespace.c
++++ b/kernel/user_namespace.c
+@@ -42,6 +42,7 @@ static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
+ 	cred->cap_inheritable = CAP_EMPTY_SET;
+ 	cred->cap_permitted = CAP_FULL_SET;
+ 	cred->cap_effective = CAP_FULL_SET;
++	cred->cap_ambient = CAP_EMPTY_SET;
+ 	cred->cap_bset = CAP_FULL_SET;
+ #ifdef CONFIG_KEYS
+ 	key_put(cred->request_key_auth);
+diff --git a/security/commoncap.c b/security/commoncap.c
+index 24c635fff5a4b..fc02de385bf94 100644
+--- a/security/commoncap.c
++++ b/security/commoncap.c
+@@ -277,6 +277,16 @@ int cap_capset(struct cred *new,
+ 	new->cap_effective   = *effective;
+ 	new->cap_inheritable = *inheritable;
+ 	new->cap_permitted   = *permitted;
++
++	/*
++	 * Mask off ambient bits that are no longer both permitted and
++	 * inheritable.
++	 */
++	new->cap_ambient = cap_intersect(new->cap_ambient,
++					 cap_intersect(*permitted,
++						       *inheritable));
++	if (WARN_ON(!cap_ambient_invariant_ok(new)))
++		return -EINVAL;
+ 	return 0;
+ }
+ 
+@@ -357,6 +367,7 @@ static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
+ 
+ 		/*
+ 		 * pP' = (X & fP) | (pI & fI)
++		 * The addition of pA' is handled later.
+ 		 */
+ 		new->cap_permitted.cap[i] =
+ 			(new->cap_bset.cap[i] & permitted) |
+@@ -488,10 +499,13 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
+ {
+ 	const struct cred *old = current_cred();
+ 	struct cred *new = bprm->cred;
+-	bool effective, has_cap = false;
++	bool effective, has_cap = false, is_setid;
+ 	int ret;
+ 	kuid_t root_uid;
+ 
++	if (WARN_ON(!cap_ambient_invariant_ok(old)))
++		return -EPERM;
++
+ 	effective = false;
+ 	ret = get_file_caps(bprm, &effective, &has_cap);
+ 	if (ret < 0)
+@@ -536,8 +550,9 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
+ 	 *
+ 	 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
+ 	 */
+-	if ((!uid_eq(new->euid, old->uid) ||
+-	     !gid_eq(new->egid, old->gid) ||
++	is_setid = !uid_eq(new->euid, old->uid) || !gid_eq(new->egid, old->gid);
++
++	if ((is_setid ||
+ 	     !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
+ 	    bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
+ 		/* downgrade; they get no more than they had, and maybe less */
+@@ -553,10 +568,28 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
+ 	new->suid = new->fsuid = new->euid;
+ 	new->sgid = new->fsgid = new->egid;
+ 
++	/* File caps or setid cancels ambient. */
++	if (has_cap || is_setid)
++		cap_clear(new->cap_ambient);
++
++	/*
++	 * Now that we've computed pA', update pP' to give:
++	 *   pP' = (X & fP) | (pI & fI) | pA'
++	 */
++	new->cap_permitted = cap_combine(new->cap_permitted, new->cap_ambient);
++
++	/*
++	 * Set pE' = (fE ? pP' : pA').  Because pA' is zero if fE is set,
++	 * this is the same as pE' = (fE ? pP' : 0) | pA'.
++	 */
+ 	if (effective)
+ 		new->cap_effective = new->cap_permitted;
+ 	else
+-		cap_clear(new->cap_effective);
++		new->cap_effective = new->cap_ambient;
++
++	if (WARN_ON(!cap_ambient_invariant_ok(new)))
++		return -EPERM;
++
+ 	bprm->cap_effective = effective;
+ 
+ 	/*
+@@ -571,7 +604,7 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
+ 	 * Number 1 above might fail if you don't have a full bset, but I think
+ 	 * that is interesting information to audit.
+ 	 */
+-	if (!cap_isclear(new->cap_effective)) {
++	if (!cap_issubset(new->cap_effective, new->cap_ambient)) {
+ 		if (!cap_issubset(CAP_FULL_SET, new->cap_effective) ||
+ 		    !uid_eq(new->euid, root_uid) || !uid_eq(new->uid, root_uid) ||
+ 		    issecure(SECURE_NOROOT)) {
+@@ -582,6 +615,10 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
+ 	}
+ 
+ 	new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
++
++	if (WARN_ON(!cap_ambient_invariant_ok(new)))
++		return -EPERM;
++
+ 	return 0;
+ }
+ 
+@@ -603,7 +640,7 @@ int cap_bprm_secureexec(struct linux_binprm *bprm)
+ 	if (!uid_eq(cred->uid, root_uid)) {
+ 		if (bprm->cap_effective)
+ 			return 1;
+-		if (!cap_isclear(cred->cap_permitted))
++		if (!cap_issubset(cred->cap_permitted, cred->cap_ambient))
+ 			return 1;
+ 	}
+ 
+@@ -705,10 +742,18 @@ static inline void cap_emulate_setxuid(struct cred *new, const struct cred *old)
+ 	     uid_eq(old->suid, root_uid)) &&
+ 	    (!uid_eq(new->uid, root_uid) &&
+ 	     !uid_eq(new->euid, root_uid) &&
+-	     !uid_eq(new->suid, root_uid)) &&
+-	    !issecure(SECURE_KEEP_CAPS)) {
+-		cap_clear(new->cap_permitted);
+-		cap_clear(new->cap_effective);
++	     !uid_eq(new->suid, root_uid))) {
++		if (!issecure(SECURE_KEEP_CAPS)) {
++			cap_clear(new->cap_permitted);
++			cap_clear(new->cap_effective);
++		}
++
++		/*
++		 * Pre-ambient programs expect setresuid to nonroot followed
++		 * by exec to drop capabilities.  We should make sure that
++		 * this remains the case.
++		 */
++		cap_clear(new->cap_ambient);
+ 	}
+ 	if (uid_eq(old->euid, root_uid) && !uid_eq(new->euid, root_uid))
+ 		cap_clear(new->cap_effective);
+@@ -940,6 +985,43 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
+ 			new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS);
+ 		goto changed;
+ 
++	case PR_CAP_AMBIENT:
++		if (arg2 == PR_CAP_AMBIENT_CLEAR_ALL) {
++			if (arg3 | arg4 | arg5)
++				return -EINVAL;
++
++			new = prepare_creds();
++			if (!new)
++				return -ENOMEM;
++			cap_clear(new->cap_ambient);
++			return commit_creds(new);
++		}
++
++		if (((!cap_valid(arg3)) | arg4 | arg5))
++			return -EINVAL;
++
++		if (arg2 == PR_CAP_AMBIENT_IS_SET) {
++			return !!cap_raised(current_cred()->cap_ambient, arg3);
++		} else if (arg2 != PR_CAP_AMBIENT_RAISE &&
++			   arg2 != PR_CAP_AMBIENT_LOWER) {
++			return -EINVAL;
++		} else {
++			if (arg2 == PR_CAP_AMBIENT_RAISE &&
++			    (!cap_raised(current_cred()->cap_permitted, arg3) ||
++			     !cap_raised(current_cred()->cap_inheritable,
++					 arg3)))
++				return -EPERM;
++
++			new = prepare_creds();
++			if (!new)
++				return -ENOMEM;
++			if (arg2 == PR_CAP_AMBIENT_RAISE)
++				cap_raise(new->cap_ambient, arg3);
++			else
++				cap_lower(new->cap_ambient, arg3);
++			return commit_creds(new);
++		}
++
+ 	default:
+ 		/* No functionality available - continue with default */
+ 		error = -ENOSYS;
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+index e56b57f04cf96..4dc18af8af116 100644
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -862,6 +862,7 @@ void key_change_session_keyring(struct callback_head *twork)
+ 	new->cap_inheritable	= old->cap_inheritable;
+ 	new->cap_permitted	= old->cap_permitted;
+ 	new->cap_effective	= old->cap_effective;
++	new->cap_ambient	= old->cap_ambient;
+ 	new->cap_bset		= old->cap_bset;
+ 
+ 	new->jit_keyring	= old->jit_keyring;
diff --git a/PKGBUILD b/PKGBUILD
index 18fb5495fad0..c8b5e74eb0bf 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -6,7 +6,7 @@
 set -u
 pkgbase="linux-lts316"
 _srcname="linux-3.16"
-pkgver="3.16.81"
+pkgver="3.16.82"
 pkgrel='1'
 arch=('i686' 'x86_64')
 url="https://www.kernel.org/"
@@ -24,29 +24,33 @@ source=(
   # standard config files for mkinitcpio ramdisk
   'linux.preset'
   'change-default-console-loglevel.patch'
-  '0000-unknown-rela-relocation-4-binutils.2.31.kernel.3.16.patch' # https://www.reddit.com/r/linuxquestions/comments/903xwq/unable_to_compile_working_kernel_modules_anymore/
+  #'0000-unknown-rela-relocation-4-binutils.2.31.kernel.3.16.patch' # https://www.reddit.com/r/linuxquestions/comments/903xwq/unable_to_compile_working_kernel_modules_anymore/
   '0001-binutils.2.31.max-page-size.patch' # http://lists.gnu.org/archive/html/bug-binutils/2018-03/msg00193.html
+  '0002-binutils.2.34.sysexit.patch' # https://gist.github.com/bbidulock/263c5c3aee34e3a1b09dca0b937c210b
+  '0003-systemd.245.kernel.316.ambient.capabilities.patch' # https://github.com/hardkernel/linux/commit/2ddfe869e9964afe1175919557e6b4f18b78941a
   'update.sh'
 )
 md5sums=('5c569ed649a0c9711879f333e90c5386'
-         '40d08732754c661356ca5a8e86005a58'
+         '8da6a4c655cecd0f2657436334a60d9c'
          '5c85a1cef25029a8eb87d0edeec0cb04'
          'f45197ec50bb5f7a85991f6e99ad49c6'
          '90cd68710e3064d9b65f5549570f7821'
          'eb14dcfd80c00852ef81ded6e826826a'
          'df7fceae6ee5d7e7be7b60ecd7f6bb35'
-         'faaee4c0db3a87bb45aa4e964727f308'
          '07dc499a909a3bb63fc3fdc0d0652e64'
+         '43d62abf4cd27fa1863759ac87b62ac5'
+         '4f2248545c0a3997a1d301195b7dcfe7'
          'e6a1be64b190d846648d671c012d6dd3')
 sha256sums=('4813ad7927a7d92e5339a873ab16201b242b2748934f12cb5df9ba2cfe1d77a0'
-            '9eee44021dc9e229c2d1b1601cec0d6e623e00147fd27b0fd0cf624fcdcee24d'
+            '82bd3706afe2beff9ff9a00fae0dd7f92e6f8f300ba0bbe8cc778c2bced20a11'
             '3bce3e9adce8ae3f826eebab75e9784ca92a914e526ae352de61c1da93aab8d3'
             '328539797005cb43362b75ca9965791a1ed34525101c286e4fb49694faa40e4c'
             '834bd254b56ab71d73f59b3221f056c72f559553c04718e350ab2a3e2991afe0'
             'f0d90e756f14533ee67afda280500511a62465b4f76adcc5effa95a40045179c'
             '1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99'
-            'b0f101562baca5f8aed72ba90638763ef2be8f4618c111a50334970dd03dfb4b'
             'f71e0de924013fe60c3cbed45f322e6a09942db978daeddd18adb8582373b5ed'
+            '2c80046fa78bfa6e26ae6d8ac312142d9d67b394914fee423578583fe7ab15db'
+            'abbb27b46cf00bf6d4859c4d8dfcf1d6f32e385d3dbf04790abda8b4dae6540a'
             '4dad3093e0c2bd7dafd30a0344b4df6432c3a7d1422edc4e0d1e6201aa513648')
 
 _kernelname=${pkgbase#linux}
@@ -78,11 +82,18 @@ prepare() {
 
   # diff -pNaru5 'linux-3.16'{.61.orig,} > 'new_0000-unknown-rela-relocation-4-binutils.2.31.kernel.3.16.patch'
   #(cd ..; cp -pr "${_srcname}"{,.61.orig})
-  patch -Nup1 -i "${srcdir}/0000-unknown-rela-relocation-4-binutils.2.31.kernel.3.16.patch"
-  # false
+  #patch -Nup1 -i "${srcdir}/0000-unknown-rela-relocation-4-binutils.2.31.kernel.3.16.patch"
 
   patch -Nup1 -i "${srcdir}/0001-binutils.2.31.max-page-size.patch"
 
+  # Fix for binutils 2.34
+  patch -Nup1 -i "${srcdir}/0002-binutils.2.34.sysexit.patch"
+
+  # Fix for systemd 245
+  # https://forum.odroid.com/viewtopic.php?f=141&t=38171
+  # by stas-t Re: C2 won't boot up after upgrading systemd to 245-1 on Arch
+  patch -Nup1 -i "${srcdir}/0003-systemd.245.kernel.316.ambient.capabilities.patch"
+
   declare -A _config=([i686]='config' [x86_64]='config.x86_64')
   cat "${srcdir}/${_config[${CARCH}]}" > './.config'
   if [ "${_kernelname}" != "" ]; then