c035f9aa |
%global security_hardening none |
fc081194 |
Summary: Kernel |
198b18db |
Name: linux-secure |
427b218c |
Version: 4.18.9 |
ba514d1f |
Release: 3%{?kat_build:.%kat_build}%{?dist} |
fc081194 |
License: GPLv2
URL: http://www.kernel.org/
Group: System Environment/Kernel
Vendor: VMware, Inc.
Distribution: Photon |
5f845a1e |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
427b218c |
%define sha1 linux=229ed4bedc5b8256bdd761845b1d7e20e1df12d7 |
3c6e0c8b |
Source1: config-secure |
b3de4416 |
Source2: initramfs.trigger |
fc081194 |
# common |
b3de4416 |
Patch0: linux-4.14-Log-kmsg-dump-on-panic.patch
Patch1: double-tcp_mem-limits.patch
# TODO: disable this patch, check for regressions
#Patch2: linux-4.9-watchdog-Disable-watchdog-on-virtual-machines.patch
Patch3: SUNRPC-Do-not-reuse-srcport-for-TIME_WAIT-socket.patch
Patch4: SUNRPC-xs_bind-uses-ip_local_reserved_ports.patch
Patch5: vsock-transport-for-9p.patch |
fef96592 |
Patch6: 4.18-x86-vmware-STA-support.patch |
fc081194 |
# secure |
427b218c |
Patch7: 0001-bpf-ext4-bonding-Fix-compilation-errors.patch |
b3111e31 |
Patch13: 0001-NOWRITEEXEC-and-PAX-features-MPROTECT-EMUTRAMP.patch |
b3de4416 |
Patch14: 0002-Added-PAX_RANDKSTACK.patch
Patch15: 0003-Added-rap_plugin.patch |
7b6a0618 |
# HyperV Patches
Patch16: 0004-vmbus-Don-t-spam-the-logs-with-unknown-GUIDs.patch |
8037dd91 |
#FIPS patches - allow some algorithms |
427b218c |
Patch24: 4.18-Allow-some-algo-tests-for-FIPS.patch
Patch26: 4.18-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch |
949cc56c |
# Fix CVE-2017-1000252
Patch31: kvm-dont-accept-wrong-gsi-values.patch |
6acce356 |
# Out-of-tree patches from AppArmor: |
427b218c |
Patch32: 4.17-0001-apparmor-patch-to-provide-compatibility-with-v2.x-ne.patch
Patch33: 4.17-0002-apparmor-af_unix-mediation.patch
Patch34: 4.17-0003-apparmor-fix-use-after-free-in-sk_peer_label.patch
Patch35: 4.18-0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch |
5f845a1e |
# NSX requirements (should be removed) |
7b6a0618 |
Patch99: LKCM.patch |
343d89e8 |
%if 0%{?kat_build:1}
Patch1000: %{kat_build}.patch
%endif |
fc081194 |
BuildRequires: bc
BuildRequires: kbd |
cdd26197 |
BuildRequires: kmod-devel |
fc081194 |
BuildRequires: glib-devel
BuildRequires: xerces-c-devel
BuildRequires: xml-security-c-devel |
cdd26197 |
BuildRequires: libdnet-devel
BuildRequires: libmspack-devel |
4b0456e6 |
BuildRequires: Linux-PAM-devel |
fc081194 |
BuildRequires: openssl-devel
BuildRequires: procps-ng-devel |
7f9d2e12 |
Requires: filesystem kmod
Requires(post):(coreutils or toybox) |
c2ce56e1 |
%define uname_r %{version}-%{release}-secure |
c035f9aa |
%description
Security hardened Linux kernel.
|
c97e96e8 |
%package lkcm
Summary: LKCM module
Group: System Environment/Kernel
Requires: %{name} = %{version}-%{release}
%description lkcm
The Linux package contains the LKCM driver module
|
c035f9aa |
%package devel
Summary: Kernel Dev
Group: System Environment/Kernel |
fc081194 |
Requires: python2 gawk |
c035f9aa |
Requires: %{name} = %{version}-%{release}
%description devel
The Linux package contains the Linux kernel dev files
%package docs
Summary: Kernel docs
Group: System Environment/Kernel
Requires: python2
Requires: %{name} = %{version}-%{release}
%description docs
The Linux package contains the Linux kernel doc files
%prep |
198b18db |
%setup -q -n linux-%{version} |
b3111e31 |
|
c035f9aa |
%patch0 -p1
%patch1 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1 |
427b218c |
%patch7 -p1 |
fc081194 |
%patch13 -p1
%patch14 -p1
%patch15 -p1 |
7b6a0618 |
%patch16 -p1
%patch24 -p1
%patch26 -p1 |
949cc56c |
%patch31 -p1 |
6acce356 |
%patch32 -p1
%patch33 -p1 |
3695257d |
%patch34 -p1 |
427b218c |
%patch35 -p1 |
7b6a0618 |
|
1aa996f1 |
pushd .. |
7b6a0618 |
%patch99 -p0 |
1aa996f1 |
popd |
b3de4416 |
|
343d89e8 |
%if 0%{?kat_build:1}
%patch1000 -p1
%endif |
c035f9aa |
%build
# patch vmw_balloon driver
sed -i 's/module_init/late_initcall/' drivers/misc/vmw_balloon.c
make mrproper
cp %{SOURCE1} .config |
198b18db |
sed -i 's/CONFIG_LOCALVERSION="-secure"/CONFIG_LOCALVERSION="-%{release}-secure"/' .config |
c035f9aa |
make LC_ALL= oldconfig
make VERBOSE=1 KBUILD_BUILD_VERSION="1-photon" KBUILD_BUILD_HOST="photon" ARCH="x86_64" %{?_smp_mflags} |
1aa996f1 |
# build LKCM module
bldroot=`pwd`
pushd ../LKCM |
b3de4416 |
sed -i '/#include <asm\/uaccess.h>/d' drv_fips_test.c
sed -i '/#include <asm\/uaccess.h>/d' fips_test.c |
1aa996f1 |
make -C $bldroot M=`pwd` modules
popd |
c035f9aa |
|
c2ce56e1 |
%define __modules_install_post \
for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \
./scripts/sign-file sha512 certs/signing_key.pem certs/signing_key.x509 $MODULE \
rm -f $MODULE.{sig,dig} \
xz $MODULE \
done \
%{nil}
# __os_install_post strips signature from modules. We need to resign it again
# and then compress. Extra step is added to the default __spec_install_post.
%define __spec_install_post\
%{?__debug_package:%{__debug_install_post}}\
%{__arch_install_post}\
%{__os_install_post}\
%{__modules_install_post}\
%{nil}
|
c035f9aa |
%install
install -vdm 755 %{buildroot}/etc
install -vdm 755 %{buildroot}/boot |
c2ce56e1 |
install -vdm 755 %{buildroot}%{_defaultdocdir}/linux-%{uname_r}
install -vdm 755 %{buildroot}/usr/src/linux-headers-%{uname_r} |
c035f9aa |
make INSTALL_MOD_PATH=%{buildroot} modules_install |
1aa996f1 |
# install LKCM module
bldroot=`pwd`
pushd ../LKCM
make -C $bldroot M=`pwd` INSTALL_MOD_PATH=%{buildroot} modules_install
popd |
c2ce56e1 |
cp -v arch/x86/boot/bzImage %{buildroot}/boot/vmlinuz-%{uname_r}
cp -v System.map %{buildroot}/boot/System.map-%{uname_r}
cp -v .config %{buildroot}/boot/config-%{uname_r}
cp -r Documentation/* %{buildroot}%{_defaultdocdir}/linux-%{uname_r}
install -vdm 755 %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}
cp -v vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux-%{uname_r}
# Since we use compressed modules we cann't use load pinning,
# because .ko files will be loaded from the memory (LoadPin: obj=<unknown>)
cat > %{buildroot}/boot/linux-%{uname_r}.cfg << "EOF" |
c035f9aa |
# GRUB Environment Block |
f4740997 |
photon_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta loadpin.enabled=0 slub_debug=P page_poison=1 slab_nomerge |
c2ce56e1 |
photon_linux=vmlinuz-%{uname_r} |
36a312f8 |
photon_initrd=initrd.img-%{uname_r}
EOF
# Register myself to initramfs
mkdir -p %{buildroot}/%{_localstatedir}/lib/initramfs/kernel
cat > %{buildroot}/%{_localstatedir}/lib/initramfs/kernel/%{uname_r} << "EOF" |
cf07e2ab |
--add-drivers "tmem xen-scsifront xen-blkfront xen-acpi-processor xen-evtchn xen-gntalloc xen-gntdev xen-privcmd xen-pciback xenfs hv_utils hv_vmbus hv_storvsc hv_netvsc hv_sock hv_balloon cn" |
c035f9aa |
EOF
# cleanup dangling symlinks |
c2ce56e1 |
rm -f %{buildroot}/lib/modules/%{uname_r}/source
rm -f %{buildroot}/lib/modules/%{uname_r}/build |
c035f9aa |
|
c2ce56e1 |
# create /use/src/linux-headers-*/ content
find . -name Makefile* -o -name Kconfig* -o -name *.pl | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
find arch/x86/include include scripts -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
find $(find arch/x86 -name include -o -name scripts -type d) -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
find arch/x86/include Module.symvers include scripts -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy |
c035f9aa |
# copy .config manually to be where it's expected to be |
c2ce56e1 |
cp .config %{buildroot}/usr/src/linux-headers-%{uname_r} |
c035f9aa |
# symling to the build folder |
c2ce56e1 |
ln -sf /usr/src/linux-headers-%{uname_r} %{buildroot}/lib/modules/%{uname_r}/build |
c035f9aa |
|
36a312f8 |
|
b3de4416 |
%include %{SOURCE2} |
36a312f8 |
|
c035f9aa |
%post |
c97e96e8 |
/sbin/depmod -a %{uname_r} |
c2ce56e1 |
ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
c035f9aa |
|
c97e96e8 |
%post lkcm
/sbin/depmod -a %{uname_r}
|
c035f9aa |
%files
%defattr(-,root,root) |
c2ce56e1 |
/boot/System.map-%{uname_r}
/boot/config-%{uname_r}
/boot/vmlinuz-%{uname_r}
%config(noreplace) /boot/linux-%{uname_r}.cfg |
36a312f8 |
%config %{_localstatedir}/lib/initramfs/kernel/%{uname_r} |
c035f9aa |
/lib/modules/* |
c2ce56e1 |
%exclude /lib/modules/%{uname_r}/build |
c035f9aa |
%exclude /usr/src |
c97e96e8 |
%exclude /lib/modules/%{uname_r}/extra/fips_lkcm.ko.xz
%files lkcm
%defattr(-,root,root)
/lib/modules/%{uname_r}/extra/fips_lkcm.ko.xz |
c035f9aa |
%files docs
%defattr(-,root,root) |
c2ce56e1 |
%{_defaultdocdir}/linux-%{uname_r}/* |
c035f9aa |
%files devel
%defattr(-,root,root) |
c2ce56e1 |
/lib/modules/%{uname_r}/build
/usr/src/linux-headers-%{uname_r} |
c035f9aa |
%changelog |
ba514d1f |
* Tue Oct 30 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.18.9-3
- Fix PAX randkstack and RAP plugin patches to avoid boot panic. |
fef96592 |
* Mon Oct 22 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.18.9-2
- Use updated steal time accounting patch. |
427b218c |
* Tue Sep 25 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.18.9-1
- Update to version 4.18.9 |
24b6c0e2 |
* Wed Sep 19 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.67-1
- Update to version 4.14.67 |
3695257d |
* Tue Sep 18 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-4
- Add rdrand-based RNG driver to enhance kernel entropy. |
2336a3cb |
* Sun Sep 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-3
- Add full retpoline support by building with retpoline-enabled gcc. |
6acce356 |
* Thu Aug 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-2
- Apply out-of-tree patches needed for AppArmor. |
7eb4dd0a |
* Mon Jul 09 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.14.54-1
- Update to version 4.14.54 |
f4740997 |
* Mon Mar 19 2018 Alexey Makhalov <amakhalov@vmware.com> 4.14.8-2
- Extra hardening: slab_nomerge and some .config changes |
b3de4416 |
* Fri Feb 16 2018 Alexey Makhalov <amakhalov@vmware.com> 4.14.8-1
- Version update to v4.14 LTS. Drop aufs support. |
b2a23860 |
* Mon Dec 04 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.66-1
- Version update |
1a79e068 |
* Tue Nov 21 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.64-1
- Version update |
c97e96e8 |
* Wed Nov 08 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.60-2
- Update LKCM module
- Add -lkcm subpackage |
1b55a951 |
* Mon Nov 06 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.60-1
- Version update |
949cc56c |
* Wed Oct 11 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-3
- Add patch "KVM: Don't accept obviously wrong gsi values via |
ba514d1f |
- KVM_IRQFD" to fix CVE-2017-1000252. |
745d0c0a |
* Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.53-2
- Build hang (at make oldconfig) fix. |
cc39a17a |
* Thu Oct 05 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-1
- Version update |
bc415e79 |
* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-3
- Allow privileged CLONE_NEWUSER from nested user namespaces. |
50f0a2a2 |
* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-2
- Fix CVE-2017-11472 (ACPICA: Namespace: fix operand cache leak) |
c55c1442 |
* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-1
- Version update |
7f9d2e12 |
* Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-2
- Requires coreutils or toybox |
5e5f3587 |
* Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-1
- Fix CVE-2017-11600 |
cf07e2ab |
* Tue Aug 22 2017 Anish Swaminathan <anishs@vmware.com> 4.9.43-2
- Add missing xen block drivers |
2aa73e93 |
* Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1
- Version update
- [feature] new sysctl option unprivileged_userns_clone |
1a6f8e5d |
* Wed Aug 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-2
- Fix CVE-2017-7542
- [bugfix] Added ccm,gcm,ghash,lzo crypto modules to avoid |
ba514d1f |
- panic on modprobe tcrypt |
677a50e4 |
* Mon Aug 07 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-1
- Version update |
78a2e0ef |
* Fri Aug 04 2017 Bo Gan <ganb@vmware.com> 4.9.38-6
- Fix initramfs triggers |
8037dd91 |
* Tue Aug 01 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-5
- Allow some algorithms in FIPS mode
- Reverts 284a0f6e87b0721e1be8bca419893902d9cf577a and backports
- bcf741cb779283081db47853264cc94854e7ad83 in the kernel tree
- Enable additional NF features |
7b6a0618 |
* Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-4
- Add patches in Hyperv codebase |
37cb0bf2 |
* Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-3
- Add missing hyperv drivers |
3c0c518f |
* Thu Jul 20 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.38-2
- Disable scheduler beef up patch |
5f845a1e |
* Tue Jul 18 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.38-1
- Fix CVE-2017-11176 and CVE-2017-10911
* Fri Jul 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.34-3 |
427b218c |
- Remove aufs source tarballs from git repo |
cdd26197 |
* Mon Jul 03 2017 Xiaolin Li <xiaolinl@vmware.com> 4.9.34-2
- Add libdnet-devel, kmod-devel and libmspack-devel to BuildRequires |
d381b443 |
* Wed Jun 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.34-1
- [feature] 9P FS security support
- [feature] DM Delay target support
- Fix CVE-2017-1000364 ("stack clash") and CVE-2017-9605 |
8ca4b02a |
* Thu Jun 8 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.31-1
- Fix CVE-2017-8890, CVE-2017-9074, CVE-2017-9075, CVE-2017-9076 |
ba514d1f |
- CVE-2017-9077 and CVE-2017-9242 |
8ca4b02a |
- [feature] IPV6 netfilter NAT table support |
26d69de9 |
* Fri May 26 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.30-1
- Fix CVE-2017-7487 and CVE-2017-9059 |
82df84cc |
* Wed May 17 2017 Vinay Kulkarni <kulkarniv@vmware.com> 4.9.28-2
- Enable IPVLAN module. |
9374f401 |
* Tue May 16 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.28-1
- Version update |
e7547e1f |
* Wed May 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.27-1
- Version update |
3c6e0c8b |
* Sun May 7 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.26-1
- Version update
- Removed version suffix from config file name |
36a312f8 |
* Thu Apr 27 2017 Bo Gan <ganb@vmware.com> 4.9.24-2
- Support dynamic initrd generation |
f02a30d5 |
* Tue Apr 25 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.24-1
- Fix CVE-2017-6874 and CVE-2017-7618.
- .config: build nvme and nvme-core in kernel. |
1aa996f1 |
* Tue Mar 21 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.13-3
- Added LKCM module |
abe1d1bf |
* Mon Mar 6 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.13-2
- .config: NSX requirements for crypto and netfilter |
4e703b6f |
* Tue Feb 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.13-1
- Update to linux-4.9.13 to fix CVE-2017-5986 and CVE-2017-6074
- .config: disable XEN guest (needs rap_plugin verification)
* Wed Feb 22 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.9-2
- rap_plugin improvement: throw error on function type casting |
ba514d1f |
- function signatures were cleaned up using this feature. |
427b218c |
- Added RAP_ENTRY for asm functions. |
b3111e31 |
* Thu Feb 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.9-1
- Update to linux-4.9.9 to fix CVE-2016-10153, CVE-2017-5546, |
ba514d1f |
- CVE-2017-5547, CVE-2017-5548 and CVE-2017-5576. |
b3111e31 |
- Added aufs support.
- Added PAX_RANDKSTACK feature.
- Extra func signatures cleanup to fix 1809717 and 1809722.
- .config: added CRYPTO_FIPS support. |
198b18db |
* Tue Jan 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.2-1
- Update to linux-4.9.2 to fix CVE-2016-10088
- Rename package to linux-secure.
- Added KSPP cmdline params: slub_debug=P page_poison=1 |
4b0456e6 |
* Mon Dec 19 2016 Xiaolin Li <xiaolinl@vmware.com> 4.9.0-2
- BuildRequires Linux-PAM-devel |
fc081194 |
* Mon Dec 12 2016 Alexey Makhalov <amakhalov@vmware.com> 4.9.0-1
- Update to linux-4.9.0
- Add paravirt stolen time accounting feature (from linux-esx), |
ba514d1f |
- but disable it by default (no-vmw-sta cmdline parameter) |
fc081194 |
- Use vmware_io_delay() to keep "void fn(void)" signature |
c2ce56e1 |
* Wed Nov 30 2016 Alexey Makhalov <amakhalov@vmware.com> 4.8.0-2
- Expand `uname -r` with release number
- Resign and compress modules after stripping
- .config: add syscalls tracing support
- .config: add cgrup_hugetlb support
- .config: add netfilter_xt_{set,target_ct} support
- .config: add netfilter_xt_match_{cgroup,ipvs} support
- .config: disable /dev/mem |
c035f9aa |
* Mon Oct 17 2016 Alexey Makhalov <amakhalov@vmware.com> 4.8.0-1 |
ba514d1f |
- Initial commit. |