c035f9aa |
%global security_hardening none |
fc081194 |
Summary: Kernel
Name: linux-sec
Version: 4.9.0 |
4b0456e6 |
Release: 2%{?dist} |
fc081194 |
License: GPLv2
URL: http://www.kernel.org/
Group: System Environment/Kernel
Vendor: VMware, Inc.
Distribution: Photon |
c035f9aa |
#Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
fc081194 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-4.9.tar.xz
%define sha1 linux=fa46da077c077467776cdc45a7b50d327a081ab4
Source1: config-sec-%{version}
# common
Patch0: x86-vmware-read-tsc_khz-only-once-at-boot-time.patch
Patch1: x86-vmware-use-tsc_khz-value-for-calibrate_cpu.patch
Patch2: x86-vmware-add-basic-paravirt-ops-support.patch
Patch3: x86-vmware-add-paravirt-sched-clock.patch
Patch4: x86-vmware-log-kmsg-dump-on-panic.patch
Patch5: double-tcp_mem-limits.patch
Patch6: linux-4.9-sysctl-sched_weighted_cpuload_uses_rla.patch
Patch7: linux-4.9-watchdog-Disable-watchdog-on-virtual-machines.patch
Patch8: linux-4.9-REVERT-sched-fair-Beef-up-wake_wide.patch
Patch9: SUNRPC-Do-not-reuse-srcport-for-TIME_WAIT-socket.patch
Patch10: SUNRPC-xs_bind-uses-ip_local_reserved_ports.patch
Patch11: net-9p-vsock.patch
Patch12: x86-vmware-sta.patch
# secure
Patch13: vmware_io_delay.patch
Patch14: 0001-NOWRITEEXEC-and-PAX-features-EMUTRAMP-MPROTECT.patch
Patch15: 0002-Added-rap_plugin.-Func-signature-fixing-is-still-req.patch
BuildRequires: bc
BuildRequires: kbd
BuildRequires: kmod
BuildRequires: glib-devel
BuildRequires: xerces-c-devel
BuildRequires: xml-security-c-devel
BuildRequires: libdnet
BuildRequires: libmspack |
4b0456e6 |
BuildRequires: Linux-PAM-devel |
fc081194 |
BuildRequires: openssl-devel
BuildRequires: procps-ng-devel
Requires: filesystem kmod coreutils |
c2ce56e1 |
%define uname_r %{version}-%{release}-secure |
c035f9aa |
%description
Security hardened Linux kernel.
%package devel
Summary: Kernel Dev
Group: System Environment/Kernel |
fc081194 |
Requires: python2 gawk |
c035f9aa |
Requires: %{name} = %{version}-%{release}
%description devel
The Linux package contains the Linux kernel dev files
%package docs
Summary: Kernel docs
Group: System Environment/Kernel
Requires: python2
Requires: %{name} = %{version}-%{release}
%description docs
The Linux package contains the Linux kernel doc files
%prep
#%setup -q -n linux-%{version} |
fc081194 |
%setup -q -n linux-4.9 |
c035f9aa |
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1 |
fc081194 |
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1 |
c035f9aa |
%build
# patch vmw_balloon driver
sed -i 's/module_init/late_initcall/' drivers/misc/vmw_balloon.c
make mrproper
cp %{SOURCE1} .config |
c2ce56e1 |
sed -i 's/CONFIG_LOCALVERSION="-sec"/CONFIG_LOCALVERSION="-%{release}-secure"/' .config |
c035f9aa |
make LC_ALL= oldconfig
make VERBOSE=1 KBUILD_BUILD_VERSION="1-photon" KBUILD_BUILD_HOST="photon" ARCH="x86_64" %{?_smp_mflags}
|
c2ce56e1 |
%define __modules_install_post \
for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \
./scripts/sign-file sha512 certs/signing_key.pem certs/signing_key.x509 $MODULE \
rm -f $MODULE.{sig,dig} \
xz $MODULE \
done \
%{nil}
# __os_install_post strips signature from modules. We need to resign it again
# and then compress. Extra step is added to the default __spec_install_post.
%define __spec_install_post\
%{?__debug_package:%{__debug_install_post}}\
%{__arch_install_post}\
%{__os_install_post}\
%{__modules_install_post}\
%{nil}
|
c035f9aa |
%install
install -vdm 755 %{buildroot}/etc
install -vdm 755 %{buildroot}/boot |
c2ce56e1 |
install -vdm 755 %{buildroot}%{_defaultdocdir}/linux-%{uname_r} |
c035f9aa |
install -vdm 755 %{buildroot}/etc/modprobe.d |
c2ce56e1 |
install -vdm 755 %{buildroot}/usr/src/linux-headers-%{uname_r} |
c035f9aa |
make INSTALL_MOD_PATH=%{buildroot} modules_install |
c2ce56e1 |
cp -v arch/x86/boot/bzImage %{buildroot}/boot/vmlinuz-%{uname_r}
cp -v System.map %{buildroot}/boot/System.map-%{uname_r}
cp -v .config %{buildroot}/boot/config-%{uname_r}
cp -r Documentation/* %{buildroot}%{_defaultdocdir}/linux-%{uname_r}
install -vdm 755 %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}
cp -v vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux-%{uname_r}
# Since we use compressed modules we cann't use load pinning,
# because .ko files will be loaded from the memory (LoadPin: obj=<unknown>)
cat > %{buildroot}/boot/linux-%{uname_r}.cfg << "EOF" |
c035f9aa |
# GRUB Environment Block |
fc081194 |
photon_cmdline=init=/lib/systemd/systemd rcupdate.rcu_expedited=1 rw systemd.show_status=0 quiet noreplace-smp cpu_init_udelay=0 plymouth.enable=0 loadpin.enabled=0 no-vmw-sta |
c2ce56e1 |
photon_linux=vmlinuz-%{uname_r} |
c035f9aa |
EOF
# cleanup dangling symlinks |
c2ce56e1 |
rm -f %{buildroot}/lib/modules/%{uname_r}/source
rm -f %{buildroot}/lib/modules/%{uname_r}/build |
c035f9aa |
|
c2ce56e1 |
# create /use/src/linux-headers-*/ content
find . -name Makefile* -o -name Kconfig* -o -name *.pl | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
find arch/x86/include include scripts -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
find $(find arch/x86 -name include -o -name scripts -type d) -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
find arch/x86/include Module.symvers include scripts -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy |
c035f9aa |
# copy .config manually to be where it's expected to be |
c2ce56e1 |
cp .config %{buildroot}/usr/src/linux-headers-%{uname_r} |
c035f9aa |
# symling to the build folder |
c2ce56e1 |
ln -sf /usr/src/linux-headers-%{uname_r} %{buildroot}/lib/modules/%{uname_r}/build |
c035f9aa |
%post |
c2ce56e1 |
/sbin/depmod -aq %{uname_r}
ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
c035f9aa |
%files
%defattr(-,root,root) |
c2ce56e1 |
/boot/System.map-%{uname_r}
/boot/config-%{uname_r}
/boot/vmlinuz-%{uname_r}
%config(noreplace) /boot/linux-%{uname_r}.cfg |
c035f9aa |
/lib/firmware/*
/lib/modules/* |
c2ce56e1 |
%exclude /lib/modules/%{uname_r}/build |
c035f9aa |
%exclude /usr/src
%files docs
%defattr(-,root,root) |
c2ce56e1 |
%{_defaultdocdir}/linux-%{uname_r}/* |
c035f9aa |
%files devel
%defattr(-,root,root) |
c2ce56e1 |
/lib/modules/%{uname_r}/build
/usr/src/linux-headers-%{uname_r} |
c035f9aa |
%changelog |
4b0456e6 |
* Mon Dec 19 2016 Xiaolin Li <xiaolinl@vmware.com> 4.9.0-2
- BuildRequires Linux-PAM-devel |
fc081194 |
* Mon Dec 12 2016 Alexey Makhalov <amakhalov@vmware.com> 4.9.0-1
- Update to linux-4.9.0
- Add paravirt stolen time accounting feature (from linux-esx),
but disable it by default (no-vmw-sta cmdline parameter)
- Use vmware_io_delay() to keep "void fn(void)" signature |
c2ce56e1 |
* Wed Nov 30 2016 Alexey Makhalov <amakhalov@vmware.com> 4.8.0-2
- Expand `uname -r` with release number
- Resign and compress modules after stripping
- .config: add syscalls tracing support
- .config: add cgrup_hugetlb support
- .config: add netfilter_xt_{set,target_ct} support
- .config: add netfilter_xt_match_{cgroup,ipvs} support
- .config: disable /dev/mem |
c035f9aa |
* Mon Oct 17 2016 Alexey Makhalov <amakhalov@vmware.com> 4.8.0-1
Initial commit.
|