Browse code
linux, linux-aws: Enable and use AppArmor security module by default
Docker can use AppArmor profiles to tighten the security of
containers. For example, it can prevent "escape to host" attacks by
restricting access to proc and sys filesystems inside the container.
AppArmor needs kernel support, so enable it and also make it the
default security module.
Change-Id: I9ed4d7be11fb87827f5a9a4573183c5394d24574
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5344
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
Srivatsa S. Bhat authored on 2018/07/12 07:09:51Showing 4 changed files
| ... | ... |
@@ -1,6 +1,6 @@ |
| 1 | 1 |
# |
| 2 | 2 |
# Automatically generated file; DO NOT EDIT. |
| 3 |
-# Linux/x86 4.9.78 Kernel Configuration |
|
| 3 |
+# Linux/x86 4.9.111 Kernel Configuration |
|
| 4 | 4 |
# |
| 5 | 5 |
CONFIG_64BIT=y |
| 6 | 6 |
CONFIG_X86_64=y |
| ... | ... |
@@ -4455,9 +4455,9 @@ CONFIG_INTEGRITY_AUDIT=y |
| 4455 | 4455 |
# CONFIG_EVM is not set |
| 4456 | 4456 |
# CONFIG_DEFAULT_SECURITY_SELINUX is not set |
| 4457 | 4457 |
# CONFIG_DEFAULT_SECURITY_SMACK is not set |
| 4458 |
-# CONFIG_DEFAULT_SECURITY_APPARMOR is not set |
|
| 4459 |
-CONFIG_DEFAULT_SECURITY_DAC=y |
|
| 4460 |
-CONFIG_DEFAULT_SECURITY="" |
|
| 4458 |
+CONFIG_DEFAULT_SECURITY_APPARMOR=y |
|
| 4459 |
+# CONFIG_DEFAULT_SECURITY_DAC is not set |
|
| 4460 |
+CONFIG_DEFAULT_SECURITY="apparmor" |
|
| 4461 | 4461 |
CONFIG_XOR_BLOCKS=m |
| 4462 | 4462 |
CONFIG_ASYNC_CORE=m |
| 4463 | 4463 |
CONFIG_ASYNC_MEMCPY=m |
| ... | ... |
@@ -1,6 +1,6 @@ |
| 1 | 1 |
# |
| 2 | 2 |
# Automatically generated file; DO NOT EDIT. |
| 3 |
-# Linux/x86 4.9.80 Kernel Configuration |
|
| 3 |
+# Linux/x86 4.9.111 Kernel Configuration |
|
| 4 | 4 |
# |
| 5 | 5 |
CONFIG_64BIT=y |
| 6 | 6 |
CONFIG_X86_64=y |
| ... | ... |
@@ -3959,7 +3959,7 @@ CONFIG_PAGE_TABLE_ISOLATION=y |
| 3959 | 3959 |
CONFIG_SECURITYFS=y |
| 3960 | 3960 |
CONFIG_SECURITY_NETWORK=y |
| 3961 | 3961 |
CONFIG_SECURITY_NETWORK_XFRM=y |
| 3962 |
-# CONFIG_SECURITY_PATH is not set |
|
| 3962 |
+CONFIG_SECURITY_PATH=y |
|
| 3963 | 3963 |
CONFIG_INTEL_TXT=y |
| 3964 | 3964 |
CONFIG_LSM_MMAP_MIN_ADDR=65536 |
| 3965 | 3965 |
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y |
| ... | ... |
@@ -3974,7 +3974,10 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y |
| 3974 | 3974 |
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 |
| 3975 | 3975 |
# CONFIG_SECURITY_SMACK is not set |
| 3976 | 3976 |
# CONFIG_SECURITY_TOMOYO is not set |
| 3977 |
-# CONFIG_SECURITY_APPARMOR is not set |
|
| 3977 |
+CONFIG_SECURITY_APPARMOR=y |
|
| 3978 |
+CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 |
|
| 3979 |
+CONFIG_SECURITY_APPARMOR_HASH=y |
|
| 3980 |
+CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y |
|
| 3978 | 3981 |
# CONFIG_SECURITY_LOADPIN is not set |
| 3979 | 3982 |
# CONFIG_SECURITY_YAMA is not set |
| 3980 | 3983 |
CONFIG_INTEGRITY=y |
| ... | ... |
@@ -3982,9 +3985,10 @@ CONFIG_INTEGRITY=y |
| 3982 | 3982 |
CONFIG_INTEGRITY_AUDIT=y |
| 3983 | 3983 |
# CONFIG_IMA is not set |
| 3984 | 3984 |
# CONFIG_EVM is not set |
| 3985 |
-CONFIG_DEFAULT_SECURITY_SELINUX=y |
|
| 3985 |
+# CONFIG_DEFAULT_SECURITY_SELINUX is not set |
|
| 3986 |
+CONFIG_DEFAULT_SECURITY_APPARMOR=y |
|
| 3986 | 3987 |
# CONFIG_DEFAULT_SECURITY_DAC is not set |
| 3987 |
-CONFIG_DEFAULT_SECURITY="selinux" |
|
| 3988 |
+CONFIG_DEFAULT_SECURITY="apparmor" |
|
| 3988 | 3989 |
CONFIG_XOR_BLOCKS=m |
| 3989 | 3990 |
CONFIG_ASYNC_CORE=m |
| 3990 | 3991 |
CONFIG_ASYNC_MEMCPY=m |
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux-aws |
| 4 | 4 |
Version: 4.9.111 |
| 5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist}
|
|
| 5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -451,6 +451,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
|
| 451 | 451 |
/usr/share/doc/* |
| 452 | 452 |
|
| 453 | 453 |
%changelog |
| 454 |
+* Wed Jul 11 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.111-2 |
|
| 455 |
+- Enable and use AppArmor security module by default. |
|
| 454 | 456 |
* Sat Jul 07 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.111-1 |
| 455 | 457 |
- Update to version 4.9.111 |
| 456 | 458 |
* Wed Jun 27 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.109-2 |
| ... | ... |
@@ -2,7 +2,7 @@ |
| 2 | 2 |
Summary: Kernel |
| 3 | 3 |
Name: linux |
| 4 | 4 |
Version: 4.9.111 |
| 5 |
-Release: 1%{?kat_build:.%kat_build}%{?dist}
|
|
| 5 |
+Release: 2%{?kat_build:.%kat_build}%{?dist}
|
|
| 6 | 6 |
License: GPLv2 |
| 7 | 7 |
URL: http://www.kernel.org/ |
| 8 | 8 |
Group: System Environment/Kernel |
| ... | ... |
@@ -373,6 +373,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
|
| 373 | 373 |
/usr/share/doc/* |
| 374 | 374 |
|
| 375 | 375 |
%changelog |
| 376 |
+* Wed Jul 11 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.111-2 |
|
| 377 |
+- Enable and use AppArmor security module by default. |
|
| 376 | 378 |
* Sat Jul 07 2018 Alexey Makhalov <amakhalov@vmware.com> 4.9.111-1 |
| 377 | 379 |
- Update to version 4.9.111 |
| 378 | 380 |
* Sun Jul 01 2018 Ron Jaegers <ron.jaegers@gmail.com> 4.9.109-3 |