- cmdline: added pti=on
- config: PANIC_TIMEOUT=-1, DEBUG_RODATA_TEST=y
- NCC Group recommendation: added audit=1 cmdline to have it
enabled from the very beginning
Change-Id: I449baf30e62ca5decc28c5889c388066c1eaec7d
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6487
Tested-by: michellew <michellew@vmware.com>
Reviewed-by: Srivatsa S. Bhat <srivatsab@vmware.com>
... | ... |
@@ -4823,7 +4823,7 @@ CONFIG_PAGE_POISONING=y |
4823 | 4823 |
CONFIG_PAGE_POISONING_NO_SANITY=y |
4824 | 4824 |
CONFIG_PAGE_POISONING_ZERO=y |
4825 | 4825 |
# CONFIG_DEBUG_PAGE_REF is not set |
4826 |
-# CONFIG_DEBUG_RODATA_TEST is not set |
|
4826 |
+CONFIG_DEBUG_RODATA_TEST=y |
|
4827 | 4827 |
# CONFIG_DEBUG_OBJECTS is not set |
4828 | 4828 |
# CONFIG_SLUB_DEBUG_ON is not set |
4829 | 4829 |
# CONFIG_SLUB_STATS is not set |
... | ... |
@@ -4863,7 +4863,7 @@ CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0 |
4863 | 4863 |
# CONFIG_WQ_WATCHDOG is not set |
4864 | 4864 |
CONFIG_PANIC_ON_OOPS=y |
4865 | 4865 |
CONFIG_PANIC_ON_OOPS_VALUE=1 |
4866 |
-CONFIG_PANIC_TIMEOUT=0 |
|
4866 |
+CONFIG_PANIC_TIMEOUT=-1 |
|
4867 | 4867 |
CONFIG_SCHED_DEBUG=y |
4868 | 4868 |
CONFIG_SCHED_INFO=y |
4869 | 4869 |
CONFIG_SCHEDSTATS=y |
... | ... |
@@ -2,7 +2,7 @@ |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-secure |
4 | 4 |
Version: 4.19.6 |
5 |
-Release: 3%{?kat_build:.%kat_build}%{?dist} |
|
5 |
+Release: 4%{?kat_build:.%kat_build}%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
... | ... |
@@ -172,7 +172,7 @@ cp -v vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux-%{uname_ |
172 | 172 |
# because .ko files will be loaded from the memory (LoadPin: obj=<unknown>) |
173 | 173 |
cat > %{buildroot}/boot/linux-%{uname_r}.cfg << "EOF" |
174 | 174 |
# GRUB Environment Block |
175 |
-photon_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta loadpin.enabled=0 slub_debug=P page_poison=1 slab_nomerge |
|
175 |
+photon_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta loadpin.enabled=0 audit=1 slub_debug=P page_poison=1 slab_nomerge pti=on |
|
176 | 176 |
photon_linux=vmlinuz-%{uname_r} |
177 | 177 |
photon_initrd=initrd.img-%{uname_r} |
178 | 178 |
EOF |
... | ... |
@@ -234,6 +234,9 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
234 | 234 |
/usr/src/linux-headers-%{uname_r} |
235 | 235 |
|
236 | 236 |
%changelog |
237 |
+* Thu Jan 10 2019 Alexey Makhalov <amakhalov@vmware.com> 4.19.6-4 |
|
238 |
+- cmdline: added audit=1 pti=on |
|
239 |
+- config: PANIC_TIMEOUT=-1, DEBUG_RODATA_TEST=y |
|
237 | 240 |
* Wed Jan 09 2019 Alexey Makhalov <amakhalov@vmware.com> 4.19.6-3 |
238 | 241 |
- Additional security hardening options in the config. |
239 | 242 |
* Fri Jan 04 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-2 |