kernel: disable CONFIG_RDS on aarch64 to match x86_64

[dethoma]

Summary

Disable the Reliable Datagram Sockets (RDS) protocol in the aarch64 kernel config so it matches x86_64. RDS has been disabled on x86_64 since 5.4.23-11 (May 2020), but the parallel change to config_aarch64 was never made — likely because aarch64 was not yet a first-class build target in CBL-Mariner at the time. The divergence has persisted across every kernel rebase since (5.4 → 5.10 → 5.15 → 6.6). This PR closes that gap. RDS is an Oracle clustering protocol with no expected use in Azure Linux guest workloads, and recent disclosures (e.g. the PinTheft LPE published on oss-security 2026/05/19 — a double-free in rds_message_zcopy_from_user() weaponized via io_uring fixed buffers into a SUID page-cache overwrite) make removing the autoloadable attack surface on aarch64 a clear win.

Summary

See above.

Change Log

• SPECS/kernel/config_aarch64: replace CONFIG_RDS=m, CONFIG_RDS_RDMA=m, CONFIG_RDS_TCP=m, and # CONFIG_RDS_DEBUG is not set with # CONFIG_RDS is not set (aligns with x86_64).
• SPECS/kernel/kernel.signatures.json: refresh the config_aarch64 SHA-256 to 8781dab223c2657730384cd194d5b647b56b63e8712e390bf4f24399bc9c27ee.
• SPECS/kernel/kernel.spec: bump Release from 1 to 2 and add a changelog entry documenting the rationale.

Packages affected: kernel (aarch64 only — x86_64 binary unchanged).

CVEs / advisories referenced (not formally assigned yet):

• PinTheft Linux LPE, oss-security 2026/05/19 — RDS zerocopy double-free.

Does this affect the toolchain?

NO — kernel is not a toolchain package, and no toolchain manifests were modified.

Associated issues

• none

Links to CVEs

• https://www.openwall.com/lists/oss-security/2026/05/19/6 (PinTheft disclosure; no NVD entry yet at time of writing)

Test Methodology

• Config-only change verified by reviewing the resulting config_aarch64 diff (4 lines removed, 1 line added) and confirming the SHA-256 in kernel.signatures.json matches the new file.
• aarch64 kernel package build verified on an ephemeral Standard_D16ps_v5 Azure VM (Ubuntu 24.04, Ampere Altra) using make build-packages PACKAGE_BUILD_LIST="kernel" REBUILD_TOOLS=y USE_PREVIEW_REPO=y. Kernel compiled and modules linked cleanly with no RDS-related symbol references; rds.ko is absent from the produced module set.
• No %check section exists for the kernel package; no functional code paths modified.

---

Checklist (config-only kernel change; most items N/A):

• Toolchain rebuilt or no toolchain changes
• Toolchain/worker manifests up-to-date
• Updated packages successfully build (verified locally on aarch64 Azure VM)
• Static-component Release tag incremented (kernel Release: 1 → 2)
• Package tests / %check verified (no %check section in kernel.spec)
• All package sources are available
• cgmanifest files are up-to-date and sorted
• LICENSE-MAP files are up-to-date
• All source files have up-to-date hashes in *.signatures.json (config_aarch64 refreshed)
• sudo make go-tidy-all and sudo make go-test-coverage pass (no Go changes)
• Documentation has been updated (no docs affected)
• Ready to merge (leave unchecked until PR CI is green)