GitList

Browse code

linux: Use AppArmor security module by default

Docker can use AppArmor profiles to tighten the security of
containers. For example, it can prevent "escape to host" attacks by
restricting access to proc and sys filesystems inside the container.
The kernel-side support for AppArmor is already enabled; make it the
default security module.

Change-Id: Ie69210d7ba2a1e41e5a9d79936470b3201c7cd79

Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5345
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Srivatsa S. Bhat <srivatsab@vmware.com>

Srivatsa S. Bhat authored on 2018/07/12 08:28:21
Showing 2 changed files

SPECS/linux/config

History View file @ 0bfa853

@@ -4252,9 +4252,9 @@ CONFIG_INTEGRITY_AUDIT=y
                      # CONFIG_EVM is not set
                      # CONFIG_DEFAULT_SECURITY_SELINUX is not set
                      # CONFIG_DEFAULT_SECURITY_SMACK is not set
                     -# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
                     -CONFIG_DEFAULT_SECURITY_DAC=y
                     -CONFIG_DEFAULT_SECURITY=""
                     +CONFIG_DEFAULT_SECURITY_APPARMOR=y
                     +# CONFIG_DEFAULT_SECURITY_DAC is not set
                     +CONFIG_DEFAULT_SECURITY="apparmor"
                      CONFIG_XOR_BLOCKS=m
                      CONFIG_ASYNC_CORE=m
                      CONFIG_ASYNC_MEMCPY=m

SPECS/linux/linux.spec

History View file @ 0bfa853

@@ -2,7 +2,7 @@
                      Summary:        Kernel
                      Name:           linux
                      Version:    	4.4.139
                     -Release:        2%{?kat_build:.%kat_build}%{?dist}
                     +Release:        3%{?kat_build:.%kat_build}%{?dist}
                      License:    	GPLv2
                      URL:        	http://www.kernel.org/
                      Group:        	System Environment/Kernel
@@ -547,6 +547,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
                      /usr/share/perf-core
                      %changelog
                     +*   Wed Jul 11 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.139-3
                     +-   Use AppArmor security module by default.
                      *   Tue Jul 10 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.139-2
                      -   Fix CVE-2017-18232 and CVE-2018-10323.
                      *   Tue Jul 03 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.4.139-1