Browse code
linux-secure: additional security hardening options in the config
Enabled:
- CONFIG_SECURITY_NETWORK_XFRM
- CONFIG_EVM
Disabled:
- CONFIG_HARDENED_USERCOPY_PAGESPAN
Change-Id: I4b1e6fffcde8ac4cbddef4502eccc5fa30082c54
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6480
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
Alexey Makhalov authored on 2019/01/10 05:56:17Showing 2 changed files
| ... | ... |
@@ -395,6 +395,7 @@ CONFIG_HZ_250=y |
| 395 | 395 |
CONFIG_HZ=250 |
| 396 | 396 |
CONFIG_SCHED_HRTICK=y |
| 397 | 397 |
# CONFIG_KEXEC is not set |
| 398 |
+# CONFIG_KEXEC_FILE is not set |
|
| 398 | 399 |
CONFIG_CRASH_DUMP=y |
| 399 | 400 |
CONFIG_PHYSICAL_START=0x1000000 |
| 400 | 401 |
CONFIG_RELOCATABLE=y |
| ... | ... |
@@ -4409,21 +4410,21 @@ CONFIG_KEYS=y |
| 4409 | 4409 |
# CONFIG_PERSISTENT_KEYRINGS is not set |
| 4410 | 4410 |
# CONFIG_BIG_KEYS is not set |
| 4411 | 4411 |
CONFIG_TRUSTED_KEYS=m |
| 4412 |
-CONFIG_ENCRYPTED_KEYS=m |
|
| 4412 |
+CONFIG_ENCRYPTED_KEYS=y |
|
| 4413 | 4413 |
# CONFIG_KEY_DH_OPERATIONS is not set |
| 4414 | 4414 |
CONFIG_SECURITY_DMESG_RESTRICT=y |
| 4415 | 4415 |
CONFIG_SECURITY=y |
| 4416 | 4416 |
CONFIG_SECURITYFS=y |
| 4417 | 4417 |
CONFIG_SECURITY_NETWORK=y |
| 4418 | 4418 |
CONFIG_PAGE_TABLE_ISOLATION=y |
| 4419 |
-# CONFIG_SECURITY_NETWORK_XFRM is not set |
|
| 4419 |
+CONFIG_SECURITY_NETWORK_XFRM=y |
|
| 4420 | 4420 |
CONFIG_SECURITY_PATH=y |
| 4421 | 4421 |
CONFIG_INTEL_TXT=y |
| 4422 | 4422 |
CONFIG_LSM_MMAP_MIN_ADDR=65536 |
| 4423 | 4423 |
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y |
| 4424 | 4424 |
CONFIG_HARDENED_USERCOPY=y |
| 4425 | 4425 |
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set |
| 4426 |
-CONFIG_HARDENED_USERCOPY_PAGESPAN=y |
|
| 4426 |
+# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set |
|
| 4427 | 4427 |
CONFIG_FORTIFY_SOURCE=y |
| 4428 | 4428 |
# CONFIG_STATIC_USERMODEHELPER is not set |
| 4429 | 4429 |
CONFIG_SECURITY_SELINUX=y |
| ... | ... |
@@ -4449,7 +4450,10 @@ CONFIG_INTEGRITY=y |
| 4449 | 4449 |
# CONFIG_INTEGRITY_SIGNATURE is not set |
| 4450 | 4450 |
CONFIG_INTEGRITY_AUDIT=y |
| 4451 | 4451 |
# CONFIG_IMA is not set |
| 4452 |
-# CONFIG_EVM is not set |
|
| 4452 |
+CONFIG_EVM=y |
|
| 4453 |
+CONFIG_EVM_ATTR_FSUUID=y |
|
| 4454 |
+# CONFIG_EVM_EXTRA_SMACK_XATTRS is not set |
|
| 4455 |
+# CONFIG_EVM_ADD_XATTRS is not set |
|
| 4453 | 4456 |
# CONFIG_DEFAULT_SECURITY_SELINUX is not set |
| 4454 | 4457 |
# CONFIG_DEFAULT_SECURITY_SMACK is not set |
| 4455 | 4458 |
CONFIG_DEFAULT_SECURITY_APPARMOR=y |
| ... | ... |
@@ -4471,11 +4475,11 @@ CONFIG_CRYPTO_ALGAPI=y |
| 4471 | 4471 |
CONFIG_CRYPTO_ALGAPI2=y |
| 4472 | 4472 |
CONFIG_CRYPTO_AEAD=m |
| 4473 | 4473 |
CONFIG_CRYPTO_AEAD2=y |
| 4474 |
-CONFIG_CRYPTO_BLKCIPHER=m |
|
| 4474 |
+CONFIG_CRYPTO_BLKCIPHER=y |
|
| 4475 | 4475 |
CONFIG_CRYPTO_BLKCIPHER2=y |
| 4476 | 4476 |
CONFIG_CRYPTO_HASH=y |
| 4477 | 4477 |
CONFIG_CRYPTO_HASH2=y |
| 4478 |
-CONFIG_CRYPTO_RNG=m |
|
| 4478 |
+CONFIG_CRYPTO_RNG=y |
|
| 4479 | 4479 |
CONFIG_CRYPTO_RNG2=y |
| 4480 | 4480 |
CONFIG_CRYPTO_RNG_DEFAULT=m |
| 4481 | 4481 |
CONFIG_CRYPTO_AKCIPHER2=y |
| ... | ... |
@@ -4525,7 +4529,7 @@ CONFIG_CRYPTO_ECHAINIV=m |
| 4525 | 4525 |
# |
| 4526 | 4526 |
# Block modes |
| 4527 | 4527 |
# |
| 4528 |
-CONFIG_CRYPTO_CBC=m |
|
| 4528 |
+CONFIG_CRYPTO_CBC=y |
|
| 4529 | 4529 |
# CONFIG_CRYPTO_CFB is not set |
| 4530 | 4530 |
CONFIG_CRYPTO_CTR=m |
| 4531 | 4531 |
CONFIG_CRYPTO_CTS=m |
| ... | ... |
@@ -4539,7 +4543,7 @@ CONFIG_CRYPTO_XTS=m |
| 4539 | 4539 |
# Hash modes |
| 4540 | 4540 |
# |
| 4541 | 4541 |
CONFIG_CRYPTO_CMAC=m |
| 4542 |
-CONFIG_CRYPTO_HMAC=m |
|
| 4542 |
+CONFIG_CRYPTO_HMAC=y |
|
| 4543 | 4543 |
# CONFIG_CRYPTO_XCBC is not set |
| 4544 | 4544 |
# CONFIG_CRYPTO_VMAC is not set |
| 4545 | 4545 |
|
| ... | ... |
@@ -4569,7 +4573,7 @@ CONFIG_CRYPTO_SHA1=y |
| 4569 | 4569 |
# CONFIG_CRYPTO_SHA1_MB is not set |
| 4570 | 4570 |
# CONFIG_CRYPTO_SHA256_MB is not set |
| 4571 | 4571 |
# CONFIG_CRYPTO_SHA512_MB is not set |
| 4572 |
-CONFIG_CRYPTO_SHA256=m |
|
| 4572 |
+CONFIG_CRYPTO_SHA256=y |
|
| 4573 | 4573 |
CONFIG_CRYPTO_SHA512=y |
| 4574 | 4574 |
# CONFIG_CRYPTO_SHA3 is not set |
| 4575 | 4575 |
# CONFIG_CRYPTO_SM3 is not set |
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-secure |
| 4 | 4 |
Version: 4.19.6 |
| 5 |
-Release: 2%{?kat_build:.%kat_build}%{?dist}
|
|
| 5 |
+Release: 3%{?kat_build:.%kat_build}%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -234,6 +234,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
|
| 234 | 234 |
/usr/src/linux-headers-%{uname_r}
|
| 235 | 235 |
|
| 236 | 236 |
%changelog |
| 237 |
+* Wed Jan 09 2019 Alexey Makhalov <amakhalov@vmware.com> 4.19.6-3 |
|
| 238 |
+- Additional security hardening options in the config. |
|
| 237 | 239 |
* Fri Jan 04 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-2 |
| 238 | 240 |
- Enable AppArmor by default. |
| 239 | 241 |
* Mon Dec 10 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-1 |