Docker uses AppArmor profiles to secure containers, so let's make
AppArmor the default security module in all kernel flavors.
For linux-esx, complete the AppArmor support by adding the out-of-tree
patches distributed with AppArmor.
Change-Id: Iacd9455789f34356bb531753b4006174ac9a41a5
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6293
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
... | ... |
@@ -1,6 +1,6 @@ |
1 | 1 |
# |
2 | 2 |
# Automatically generated file; DO NOT EDIT. |
3 |
-# Linux/x86 4.19.1 Kernel Configuration |
|
3 |
+# Linux/x86 4.19.6 Kernel Configuration |
|
4 | 4 |
# |
5 | 5 |
|
6 | 6 |
# |
... | ... |
@@ -5367,9 +5367,9 @@ CONFIG_INTEGRITY_AUDIT=y |
5367 | 5367 |
# CONFIG_EVM is not set |
5368 | 5368 |
# CONFIG_DEFAULT_SECURITY_SELINUX is not set |
5369 | 5369 |
# CONFIG_DEFAULT_SECURITY_SMACK is not set |
5370 |
-# CONFIG_DEFAULT_SECURITY_APPARMOR is not set |
|
5371 |
-CONFIG_DEFAULT_SECURITY_DAC=y |
|
5372 |
-CONFIG_DEFAULT_SECURITY="" |
|
5370 |
+CONFIG_DEFAULT_SECURITY_APPARMOR=y |
|
5371 |
+# CONFIG_DEFAULT_SECURITY_DAC is not set |
|
5372 |
+CONFIG_DEFAULT_SECURITY="apparmor" |
|
5373 | 5373 |
CONFIG_XOR_BLOCKS=m |
5374 | 5374 |
CONFIG_ASYNC_CORE=m |
5375 | 5375 |
CONFIG_ASYNC_MEMCPY=m |
... | ... |
@@ -5525,7 +5525,6 @@ CONFIG_CRYPTO_DES=m |
5525 | 5525 |
# CONFIG_CRYPTO_SERPENT_AVX_X86_64 is not set |
5526 | 5526 |
# CONFIG_CRYPTO_SERPENT_AVX2_X86_64 is not set |
5527 | 5527 |
# CONFIG_CRYPTO_SM4 is not set |
5528 |
-# CONFIG_CRYPTO_SPECK is not set |
|
5529 | 5528 |
# CONFIG_CRYPTO_TEA is not set |
5530 | 5529 |
# CONFIG_CRYPTO_TWOFISH is not set |
5531 | 5530 |
# CONFIG_CRYPTO_TWOFISH_X86_64 is not set |
... | ... |
@@ -1,6 +1,6 @@ |
1 | 1 |
# |
2 | 2 |
# Automatically generated file; DO NOT EDIT. |
3 |
-# Linux/x86 4.19.1 Kernel Configuration |
|
3 |
+# Linux/x86 4.19.6 Kernel Configuration |
|
4 | 4 |
# |
5 | 5 |
|
6 | 6 |
# |
... | ... |
@@ -935,6 +935,7 @@ CONFIG_IPV6_MULTIPLE_TABLES=y |
935 | 935 |
# CONFIG_IPV6_MROUTE is not set |
936 | 936 |
# CONFIG_IPV6_SEG6_LWTUNNEL is not set |
937 | 937 |
# CONFIG_IPV6_SEG6_HMAC is not set |
938 |
+# CONFIG_NETLABEL is not set |
|
938 | 939 |
# CONFIG_NETWORK_SECMARK is not set |
939 | 940 |
CONFIG_NET_PTP_CLASSIFY=y |
940 | 941 |
# CONFIG_NETWORK_PHY_TIMESTAMPING is not set |
... | ... |
@@ -1173,6 +1174,7 @@ CONFIG_IP_NF_TARGET_CLUSTERIP=m |
1173 | 1173 |
CONFIG_IP_NF_TARGET_ECN=m |
1174 | 1174 |
CONFIG_IP_NF_TARGET_TTL=m |
1175 | 1175 |
CONFIG_IP_NF_RAW=m |
1176 |
+# CONFIG_IP_NF_SECURITY is not set |
|
1176 | 1177 |
CONFIG_IP_NF_ARPTABLES=m |
1177 | 1178 |
CONFIG_IP_NF_ARPFILTER=m |
1178 | 1179 |
CONFIG_IP_NF_ARP_MANGLE=m |
... | ... |
@@ -1204,6 +1206,7 @@ CONFIG_IP6_NF_TARGET_REJECT=m |
1204 | 1204 |
# CONFIG_IP6_NF_TARGET_SYNPROXY is not set |
1205 | 1205 |
CONFIG_IP6_NF_MANGLE=m |
1206 | 1206 |
CONFIG_IP6_NF_RAW=m |
1207 |
+# CONFIG_IP6_NF_SECURITY is not set |
|
1207 | 1208 |
CONFIG_IP6_NF_NAT=m |
1208 | 1209 |
CONFIG_IP6_NF_TARGET_MASQUERADE=m |
1209 | 1210 |
# CONFIG_IP6_NF_TARGET_NPT is not set |
... | ... |
@@ -2930,6 +2933,7 @@ CONFIG_FSNOTIFY=y |
2930 | 2930 |
CONFIG_DNOTIFY=y |
2931 | 2931 |
CONFIG_INOTIFY_USER=y |
2932 | 2932 |
CONFIG_FANOTIFY=y |
2933 |
+# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set |
|
2933 | 2934 |
CONFIG_QUOTA=y |
2934 | 2935 |
# CONFIG_QUOTA_NETLINK_INTERFACE is not set |
2935 | 2936 |
CONFIG_PRINT_QUOTA_WARNING=y |
... | ... |
@@ -3007,6 +3011,7 @@ CONFIG_PNFS_BLOCK=m |
3007 | 3007 |
CONFIG_PNFS_FLEXFILE_LAYOUT=m |
3008 | 3008 |
CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org" |
3009 | 3009 |
# CONFIG_NFS_V4_1_MIGRATION is not set |
3010 |
+CONFIG_NFS_V4_SECURITY_LABEL=y |
|
3010 | 3011 |
CONFIG_NFS_USE_LEGACY_DNS=y |
3011 | 3012 |
CONFIG_NFS_DEBUG=y |
3012 | 3013 |
CONFIG_NFSD=m |
... | ... |
@@ -3016,6 +3021,7 @@ CONFIG_NFSD_V4=y |
3016 | 3016 |
# CONFIG_NFSD_BLOCKLAYOUT is not set |
3017 | 3017 |
# CONFIG_NFSD_SCSILAYOUT is not set |
3018 | 3018 |
# CONFIG_NFSD_FLEXFILELAYOUT is not set |
3019 |
+# CONFIG_NFSD_V4_SECURITY_LABEL is not set |
|
3019 | 3020 |
# CONFIG_NFSD_FAULT_INJECTION is not set |
3020 | 3021 |
CONFIG_GRACE_PERIOD=m |
3021 | 3022 |
CONFIG_LOCKD=m |
... | ... |
@@ -3102,17 +3108,32 @@ CONFIG_KEYS_COMPAT=y |
3102 | 3102 |
# CONFIG_ENCRYPTED_KEYS is not set |
3103 | 3103 |
# CONFIG_KEY_DH_OPERATIONS is not set |
3104 | 3104 |
# CONFIG_SECURITY_DMESG_RESTRICT is not set |
3105 |
-# CONFIG_SECURITY is not set |
|
3106 |
-# CONFIG_SECURITYFS is not set |
|
3105 |
+CONFIG_SECURITY=y |
|
3106 |
+CONFIG_SECURITYFS=y |
|
3107 |
+CONFIG_SECURITY_NETWORK=y |
|
3107 | 3108 |
CONFIG_PAGE_TABLE_ISOLATION=y |
3109 |
+# CONFIG_SECURITY_NETWORK_XFRM is not set |
|
3110 |
+CONFIG_SECURITY_PATH=y |
|
3108 | 3111 |
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y |
3109 | 3112 |
CONFIG_HARDENED_USERCOPY=y |
3110 | 3113 |
CONFIG_HARDENED_USERCOPY_FALLBACK=y |
3111 | 3114 |
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set |
3112 | 3115 |
# CONFIG_FORTIFY_SOURCE is not set |
3113 | 3116 |
# CONFIG_STATIC_USERMODEHELPER is not set |
3114 |
-CONFIG_DEFAULT_SECURITY_DAC=y |
|
3115 |
-CONFIG_DEFAULT_SECURITY="" |
|
3117 |
+# CONFIG_SECURITY_SELINUX is not set |
|
3118 |
+# CONFIG_SECURITY_SMACK is not set |
|
3119 |
+# CONFIG_SECURITY_TOMOYO is not set |
|
3120 |
+CONFIG_SECURITY_APPARMOR=y |
|
3121 |
+CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 |
|
3122 |
+CONFIG_SECURITY_APPARMOR_HASH=y |
|
3123 |
+CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y |
|
3124 |
+# CONFIG_SECURITY_APPARMOR_DEBUG is not set |
|
3125 |
+# CONFIG_SECURITY_LOADPIN is not set |
|
3126 |
+# CONFIG_SECURITY_YAMA is not set |
|
3127 |
+# CONFIG_INTEGRITY is not set |
|
3128 |
+CONFIG_DEFAULT_SECURITY_APPARMOR=y |
|
3129 |
+# CONFIG_DEFAULT_SECURITY_DAC is not set |
|
3130 |
+CONFIG_DEFAULT_SECURITY="apparmor" |
|
3116 | 3131 |
CONFIG_XOR_BLOCKS=m |
3117 | 3132 |
CONFIG_CRYPTO=y |
3118 | 3133 |
|
... | ... |
@@ -3211,7 +3232,7 @@ CONFIG_CRYPTO_MD5=y |
3211 | 3211 |
# CONFIG_CRYPTO_RMD160 is not set |
3212 | 3212 |
# CONFIG_CRYPTO_RMD256 is not set |
3213 | 3213 |
# CONFIG_CRYPTO_RMD320 is not set |
3214 |
-CONFIG_CRYPTO_SHA1=m |
|
3214 |
+CONFIG_CRYPTO_SHA1=y |
|
3215 | 3215 |
# CONFIG_CRYPTO_SHA1_SSSE3 is not set |
3216 | 3216 |
# CONFIG_CRYPTO_SHA256_SSSE3 is not set |
3217 | 3217 |
# CONFIG_CRYPTO_SHA512_SSSE3 is not set |
... | ... |
@@ -3258,7 +3279,6 @@ CONFIG_CRYPTO_DES=m |
3258 | 3258 |
# CONFIG_CRYPTO_SERPENT_AVX_X86_64 is not set |
3259 | 3259 |
# CONFIG_CRYPTO_SERPENT_AVX2_X86_64 is not set |
3260 | 3260 |
# CONFIG_CRYPTO_SM4 is not set |
3261 |
-# CONFIG_CRYPTO_SPECK is not set |
|
3262 | 3261 |
# CONFIG_CRYPTO_TEA is not set |
3263 | 3262 |
# CONFIG_CRYPTO_TWOFISH is not set |
3264 | 3263 |
# CONFIG_CRYPTO_TWOFISH_X86_64 is not set |
... | ... |
@@ -1,6 +1,6 @@ |
1 | 1 |
# |
2 | 2 |
# Automatically generated file; DO NOT EDIT. |
3 |
-# Linux/x86 4.19.1 Kernel Configuration |
|
3 |
+# Linux/x86 4.19.6 Kernel Configuration |
|
4 | 4 |
# |
5 | 5 |
|
6 | 6 |
# |
... | ... |
@@ -4452,9 +4452,9 @@ CONFIG_INTEGRITY_AUDIT=y |
4452 | 4452 |
# CONFIG_EVM is not set |
4453 | 4453 |
# CONFIG_DEFAULT_SECURITY_SELINUX is not set |
4454 | 4454 |
# CONFIG_DEFAULT_SECURITY_SMACK is not set |
4455 |
-# CONFIG_DEFAULT_SECURITY_APPARMOR is not set |
|
4456 |
-CONFIG_DEFAULT_SECURITY_DAC=y |
|
4457 |
-CONFIG_DEFAULT_SECURITY="" |
|
4455 |
+CONFIG_DEFAULT_SECURITY_APPARMOR=y |
|
4456 |
+# CONFIG_DEFAULT_SECURITY_DAC is not set |
|
4457 |
+CONFIG_DEFAULT_SECURITY="apparmor" |
|
4458 | 4458 |
CONFIG_XOR_BLOCKS=m |
4459 | 4459 |
CONFIG_ASYNC_CORE=m |
4460 | 4460 |
CONFIG_ASYNC_MEMCPY=m |
... | ... |
@@ -4609,7 +4609,6 @@ CONFIG_CRYPTO_DES=m |
4609 | 4609 |
# CONFIG_CRYPTO_SERPENT_AVX_X86_64 is not set |
4610 | 4610 |
# CONFIG_CRYPTO_SERPENT_AVX2_X86_64 is not set |
4611 | 4611 |
# CONFIG_CRYPTO_SM4 is not set |
4612 |
-# CONFIG_CRYPTO_SPECK is not set |
|
4613 | 4612 |
# CONFIG_CRYPTO_TEA is not set |
4614 | 4613 |
# CONFIG_CRYPTO_TWOFISH is not set |
4615 | 4614 |
# CONFIG_CRYPTO_TWOFISH_X86_64 is not set |
... | ... |
@@ -1,6 +1,6 @@ |
1 | 1 |
# |
2 | 2 |
# Automatically generated file; DO NOT EDIT. |
3 |
-# Linux/arm64 4.19.1 Kernel Configuration |
|
3 |
+# Linux/arm64 4.19.6 Kernel Configuration |
|
4 | 4 |
# |
5 | 5 |
|
6 | 6 |
# |
... | ... |
@@ -5639,9 +5639,9 @@ CONFIG_INTEGRITY_AUDIT=y |
5639 | 5639 |
# CONFIG_EVM is not set |
5640 | 5640 |
# CONFIG_DEFAULT_SECURITY_SELINUX is not set |
5641 | 5641 |
# CONFIG_DEFAULT_SECURITY_SMACK is not set |
5642 |
-# CONFIG_DEFAULT_SECURITY_APPARMOR is not set |
|
5643 |
-CONFIG_DEFAULT_SECURITY_DAC=y |
|
5644 |
-CONFIG_DEFAULT_SECURITY="" |
|
5642 |
+CONFIG_DEFAULT_SECURITY_APPARMOR=y |
|
5643 |
+# CONFIG_DEFAULT_SECURITY_DAC is not set |
|
5644 |
+CONFIG_DEFAULT_SECURITY="apparmor" |
|
5645 | 5645 |
CONFIG_XOR_BLOCKS=m |
5646 | 5646 |
CONFIG_ASYNC_CORE=m |
5647 | 5647 |
CONFIG_ASYNC_MEMCPY=m |
... | ... |
@@ -5763,7 +5763,6 @@ CONFIG_CRYPTO_DES=m |
5763 | 5763 |
# CONFIG_CRYPTO_SEED is not set |
5764 | 5764 |
# CONFIG_CRYPTO_SERPENT is not set |
5765 | 5765 |
# CONFIG_CRYPTO_SM4 is not set |
5766 |
-# CONFIG_CRYPTO_SPECK is not set |
|
5767 | 5766 |
# CONFIG_CRYPTO_TEA is not set |
5768 | 5767 |
# CONFIG_CRYPTO_TWOFISH is not set |
5769 | 5768 |
|
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 | 4 |
Version: 4.19.6 |
5 |
-Release: 1%{?dist} |
|
5 |
+Release: 2%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -35,6 +35,10 @@ Patch22: 4.18-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-defaul |
35 | 35 |
# Fix CVE-2017-1000252 |
36 | 36 |
Patch24: kvm-dont-accept-wrong-gsi-values.patch |
37 | 37 |
Patch25: 4.18-0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch |
38 |
+# Out-of-tree patches from AppArmor: |
|
39 |
+Patch26: 4.17-0001-apparmor-patch-to-provide-compatibility-with-v2.x-ne.patch |
|
40 |
+Patch27: 4.17-0002-apparmor-af_unix-mediation.patch |
|
41 |
+Patch28: 4.17-0003-apparmor-fix-use-after-free-in-sk_peer_label.patch |
|
38 | 42 |
|
39 | 43 |
BuildArch: x86_64 |
40 | 44 |
BuildRequires: bc |
... | ... |
@@ -90,6 +94,9 @@ The Linux package contains the Linux kernel doc files |
90 | 90 |
%patch22 -p1 |
91 | 91 |
%patch24 -p1 |
92 | 92 |
%patch25 -p1 |
93 |
+%patch26 -p1 |
|
94 |
+%patch27 -p1 |
|
95 |
+%patch28 -p1 |
|
93 | 96 |
|
94 | 97 |
%build |
95 | 98 |
# patch vmw_balloon driver |
... | ... |
@@ -186,6 +193,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
186 | 186 |
/usr/src/linux-headers-%{uname_r} |
187 | 187 |
|
188 | 188 |
%changelog |
189 |
+* Fri Jan 04 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-2 |
|
190 |
+- Add out-of-tree patches from AppArmor and enable it by default. |
|
189 | 191 |
* Mon Dec 10 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-1 |
190 | 192 |
- Update to version 4.19.6 |
191 | 193 |
* Thu Nov 29 2018 Alexey Makhalov <amakhalov@vmware.com> 4.19.1-3 |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-secure |
4 | 4 |
Version: 4.19.6 |
5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist} |
|
5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -234,6 +234,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
234 | 234 |
/usr/src/linux-headers-%{uname_r} |
235 | 235 |
|
236 | 236 |
%changelog |
237 |
+* Fri Jan 04 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-2 |
|
238 |
+- Enable AppArmor by default. |
|
237 | 239 |
* Mon Dec 10 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-1 |
238 | 240 |
- Update to version 4.19.6 |
239 | 241 |
* Thu Nov 15 2018 Ajay Kaher <akaher@vmware.com> 4.19.1-2 |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 | 4 |
Version: 4.19.6 |
5 |
-Release: 4%{?kat_build:.%kat_build}%{?dist} |
|
5 |
+Release: 5%{?kat_build:.%kat_build}%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -386,6 +386,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
386 | 386 |
%endif |
387 | 387 |
|
388 | 388 |
%changelog |
389 |
+* Fri Jan 04 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-5 |
|
390 |
+- Enable AppArmor by default. |
|
389 | 391 |
* Wed Jan 02 2019 Alexey Makhalov <amakhalov@vmware.com> 4.19.6-4 |
390 | 392 |
- .config: added Compulab fitlet2 device drivers |
391 | 393 |
- .config_aarch64: added gpio sysfs support |