Enabled:
- CONFIG_SECURITY_NETWORK_XFRM
- CONFIG_EVM
Disabled:
- CONFIG_HARDENED_USERCOPY_PAGESPAN
Change-Id: I4b1e6fffcde8ac4cbddef4502eccc5fa30082c54
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6480
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
... | ... |
@@ -395,6 +395,7 @@ CONFIG_HZ_250=y |
395 | 395 |
CONFIG_HZ=250 |
396 | 396 |
CONFIG_SCHED_HRTICK=y |
397 | 397 |
# CONFIG_KEXEC is not set |
398 |
+# CONFIG_KEXEC_FILE is not set |
|
398 | 399 |
CONFIG_CRASH_DUMP=y |
399 | 400 |
CONFIG_PHYSICAL_START=0x1000000 |
400 | 401 |
CONFIG_RELOCATABLE=y |
... | ... |
@@ -4409,21 +4410,21 @@ CONFIG_KEYS=y |
4409 | 4409 |
# CONFIG_PERSISTENT_KEYRINGS is not set |
4410 | 4410 |
# CONFIG_BIG_KEYS is not set |
4411 | 4411 |
CONFIG_TRUSTED_KEYS=m |
4412 |
-CONFIG_ENCRYPTED_KEYS=m |
|
4412 |
+CONFIG_ENCRYPTED_KEYS=y |
|
4413 | 4413 |
# CONFIG_KEY_DH_OPERATIONS is not set |
4414 | 4414 |
CONFIG_SECURITY_DMESG_RESTRICT=y |
4415 | 4415 |
CONFIG_SECURITY=y |
4416 | 4416 |
CONFIG_SECURITYFS=y |
4417 | 4417 |
CONFIG_SECURITY_NETWORK=y |
4418 | 4418 |
CONFIG_PAGE_TABLE_ISOLATION=y |
4419 |
-# CONFIG_SECURITY_NETWORK_XFRM is not set |
|
4419 |
+CONFIG_SECURITY_NETWORK_XFRM=y |
|
4420 | 4420 |
CONFIG_SECURITY_PATH=y |
4421 | 4421 |
CONFIG_INTEL_TXT=y |
4422 | 4422 |
CONFIG_LSM_MMAP_MIN_ADDR=65536 |
4423 | 4423 |
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y |
4424 | 4424 |
CONFIG_HARDENED_USERCOPY=y |
4425 | 4425 |
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set |
4426 |
-CONFIG_HARDENED_USERCOPY_PAGESPAN=y |
|
4426 |
+# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set |
|
4427 | 4427 |
CONFIG_FORTIFY_SOURCE=y |
4428 | 4428 |
# CONFIG_STATIC_USERMODEHELPER is not set |
4429 | 4429 |
CONFIG_SECURITY_SELINUX=y |
... | ... |
@@ -4449,7 +4450,10 @@ CONFIG_INTEGRITY=y |
4449 | 4449 |
# CONFIG_INTEGRITY_SIGNATURE is not set |
4450 | 4450 |
CONFIG_INTEGRITY_AUDIT=y |
4451 | 4451 |
# CONFIG_IMA is not set |
4452 |
-# CONFIG_EVM is not set |
|
4452 |
+CONFIG_EVM=y |
|
4453 |
+CONFIG_EVM_ATTR_FSUUID=y |
|
4454 |
+# CONFIG_EVM_EXTRA_SMACK_XATTRS is not set |
|
4455 |
+# CONFIG_EVM_ADD_XATTRS is not set |
|
4453 | 4456 |
# CONFIG_DEFAULT_SECURITY_SELINUX is not set |
4454 | 4457 |
# CONFIG_DEFAULT_SECURITY_SMACK is not set |
4455 | 4458 |
CONFIG_DEFAULT_SECURITY_APPARMOR=y |
... | ... |
@@ -4471,11 +4475,11 @@ CONFIG_CRYPTO_ALGAPI=y |
4471 | 4471 |
CONFIG_CRYPTO_ALGAPI2=y |
4472 | 4472 |
CONFIG_CRYPTO_AEAD=m |
4473 | 4473 |
CONFIG_CRYPTO_AEAD2=y |
4474 |
-CONFIG_CRYPTO_BLKCIPHER=m |
|
4474 |
+CONFIG_CRYPTO_BLKCIPHER=y |
|
4475 | 4475 |
CONFIG_CRYPTO_BLKCIPHER2=y |
4476 | 4476 |
CONFIG_CRYPTO_HASH=y |
4477 | 4477 |
CONFIG_CRYPTO_HASH2=y |
4478 |
-CONFIG_CRYPTO_RNG=m |
|
4478 |
+CONFIG_CRYPTO_RNG=y |
|
4479 | 4479 |
CONFIG_CRYPTO_RNG2=y |
4480 | 4480 |
CONFIG_CRYPTO_RNG_DEFAULT=m |
4481 | 4481 |
CONFIG_CRYPTO_AKCIPHER2=y |
... | ... |
@@ -4525,7 +4529,7 @@ CONFIG_CRYPTO_ECHAINIV=m |
4525 | 4525 |
# |
4526 | 4526 |
# Block modes |
4527 | 4527 |
# |
4528 |
-CONFIG_CRYPTO_CBC=m |
|
4528 |
+CONFIG_CRYPTO_CBC=y |
|
4529 | 4529 |
# CONFIG_CRYPTO_CFB is not set |
4530 | 4530 |
CONFIG_CRYPTO_CTR=m |
4531 | 4531 |
CONFIG_CRYPTO_CTS=m |
... | ... |
@@ -4539,7 +4543,7 @@ CONFIG_CRYPTO_XTS=m |
4539 | 4539 |
# Hash modes |
4540 | 4540 |
# |
4541 | 4541 |
CONFIG_CRYPTO_CMAC=m |
4542 |
-CONFIG_CRYPTO_HMAC=m |
|
4542 |
+CONFIG_CRYPTO_HMAC=y |
|
4543 | 4543 |
# CONFIG_CRYPTO_XCBC is not set |
4544 | 4544 |
# CONFIG_CRYPTO_VMAC is not set |
4545 | 4545 |
|
... | ... |
@@ -4569,7 +4573,7 @@ CONFIG_CRYPTO_SHA1=y |
4569 | 4569 |
# CONFIG_CRYPTO_SHA1_MB is not set |
4570 | 4570 |
# CONFIG_CRYPTO_SHA256_MB is not set |
4571 | 4571 |
# CONFIG_CRYPTO_SHA512_MB is not set |
4572 |
-CONFIG_CRYPTO_SHA256=m |
|
4572 |
+CONFIG_CRYPTO_SHA256=y |
|
4573 | 4573 |
CONFIG_CRYPTO_SHA512=y |
4574 | 4574 |
# CONFIG_CRYPTO_SHA3 is not set |
4575 | 4575 |
# CONFIG_CRYPTO_SM3 is not set |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-secure |
4 | 4 |
Version: 4.19.6 |
5 |
-Release: 2%{?kat_build:.%kat_build}%{?dist} |
|
5 |
+Release: 3%{?kat_build:.%kat_build}%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -234,6 +234,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
234 | 234 |
/usr/src/linux-headers-%{uname_r} |
235 | 235 |
|
236 | 236 |
%changelog |
237 |
+* Wed Jan 09 2019 Alexey Makhalov <amakhalov@vmware.com> 4.19.6-3 |
|
238 |
+- Additional security hardening options in the config. |
|
237 | 239 |
* Fri Jan 04 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-2 |
238 | 240 |
- Enable AppArmor by default. |
239 | 241 |
* Mon Dec 10 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-1 |