@@ -3915,7 +3915,7 @@ CONFIG_FAT_DEFAULT_IOCHARSET="ascii"

 # Pseudo filesystems

 #

 CONFIG_PROC_FS=y

-CONFIG_PROC_KCORE=y

+# CONFIG_PROC_KCORE is not set

 CONFIG_PROC_VMCORE=y

 CONFIG_PROC_SYSCTL=y

 CONFIG_PROC_PAGE_MONITOR=y

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux-secure

 Version:        4.9.80

-Release:        1%{?kat_build:.%kat_build}%{?dist}

+Release:        2%{?kat_build:.%kat_build}%{?dist}

 License:        GPLv2

 URL:            http://www.kernel.org/

 Group:          System Environment/Kernel

@@ -263,7 +263,7 @@ cp -v vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux-%{uname_

 # because .ko files will be loaded from the memory (LoadPin: obj=<unknown>)

 cat > %{buildroot}/boot/linux-%{uname_r}.cfg << "EOF"

 # GRUB Environment Block

-photon_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta loadpin.enabled=0 slub_debug=P page_poison=1

+photon_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta loadpin.enabled=0 slub_debug=P page_poison=1 slab_nomerge

 photon_linux=vmlinuz-%{uname_r}

 photon_initrd=initrd.img-%{uname_r}

 EOF

@@ -326,6 +326,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg

 /usr/src/linux-headers-%{uname_r}

 %changelog

+*   Mon Mar 18 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.80-2

+-   Extra hardening: slab_nomerge, disable /proc/kcore

 *   Mon Feb 05 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.80-1

 -   Update to version 4.9.80

 *   Wed Jan 31 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.79-1