%global security_hardening none Summary: Kernel Name: linux-secure Version: 4.18.9 Release: 3%{?kat_build:.%kat_build}%{?dist} License: GPLv2 URL: http://www.kernel.org/ Group: System Environment/Kernel Vendor: VMware, Inc. Distribution: Photon Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz %define sha1 linux=229ed4bedc5b8256bdd761845b1d7e20e1df12d7 Source1: config-secure Source2: initramfs.trigger # common Patch0: linux-4.14-Log-kmsg-dump-on-panic.patch Patch1: double-tcp_mem-limits.patch # TODO: disable this patch, check for regressions #Patch2: linux-4.9-watchdog-Disable-watchdog-on-virtual-machines.patch Patch3: SUNRPC-Do-not-reuse-srcport-for-TIME_WAIT-socket.patch Patch4: SUNRPC-xs_bind-uses-ip_local_reserved_ports.patch Patch5: vsock-transport-for-9p.patch Patch6: 4.18-x86-vmware-STA-support.patch # secure Patch7: 0001-bpf-ext4-bonding-Fix-compilation-errors.patch Patch13: 0001-NOWRITEEXEC-and-PAX-features-MPROTECT-EMUTRAMP.patch Patch14: 0002-Added-PAX_RANDKSTACK.patch Patch15: 0003-Added-rap_plugin.patch # HyperV Patches Patch16: 0004-vmbus-Don-t-spam-the-logs-with-unknown-GUIDs.patch #FIPS patches - allow some algorithms Patch24: 4.18-Allow-some-algo-tests-for-FIPS.patch Patch26: 4.18-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch # Fix CVE-2017-1000252 Patch31: kvm-dont-accept-wrong-gsi-values.patch # Out-of-tree patches from AppArmor: Patch32: 4.17-0001-apparmor-patch-to-provide-compatibility-with-v2.x-ne.patch Patch33: 4.17-0002-apparmor-af_unix-mediation.patch Patch34: 4.17-0003-apparmor-fix-use-after-free-in-sk_peer_label.patch Patch35: 4.18-0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch # NSX requirements (should be removed) Patch99: LKCM.patch %if 0%{?kat_build:1} Patch1000: %{kat_build}.patch %endif BuildRequires: bc BuildRequires: kbd BuildRequires: kmod-devel BuildRequires: glib-devel BuildRequires: xerces-c-devel BuildRequires: xml-security-c-devel BuildRequires: libdnet-devel BuildRequires: libmspack-devel BuildRequires: Linux-PAM-devel BuildRequires: openssl-devel BuildRequires: procps-ng-devel Requires: filesystem kmod Requires(post):(coreutils or toybox) %define uname_r %{version}-%{release}-secure %description Security hardened Linux kernel. %package lkcm Summary: LKCM module Group: System Environment/Kernel Requires: %{name} = %{version}-%{release} %description lkcm The Linux package contains the LKCM driver module %package devel Summary: Kernel Dev Group: System Environment/Kernel Requires: python2 gawk Requires: %{name} = %{version}-%{release} %description devel The Linux package contains the Linux kernel dev files %package docs Summary: Kernel docs Group: System Environment/Kernel Requires: python2 Requires: %{name} = %{version}-%{release} %description docs The Linux package contains the Linux kernel doc files %prep %setup -q -n linux-%{version} %patch0 -p1 %patch1 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch13 -p1 %patch14 -p1 %patch15 -p1 %patch16 -p1 %patch24 -p1 %patch26 -p1 %patch31 -p1 %patch32 -p1 %patch33 -p1 %patch34 -p1 %patch35 -p1 pushd .. %patch99 -p0 popd %if 0%{?kat_build:1} %patch1000 -p1 %endif %build # patch vmw_balloon driver sed -i 's/module_init/late_initcall/' drivers/misc/vmw_balloon.c make mrproper cp %{SOURCE1} .config sed -i 's/CONFIG_LOCALVERSION="-secure"/CONFIG_LOCALVERSION="-%{release}-secure"/' .config make LC_ALL= oldconfig make VERBOSE=1 KBUILD_BUILD_VERSION="1-photon" KBUILD_BUILD_HOST="photon" ARCH="x86_64" %{?_smp_mflags} # build LKCM module bldroot=`pwd` pushd ../LKCM sed -i '/#include /d' drv_fips_test.c sed -i '/#include /d' fips_test.c make -C $bldroot M=`pwd` modules popd %define __modules_install_post \ for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \ ./scripts/sign-file sha512 certs/signing_key.pem certs/signing_key.x509 $MODULE \ rm -f $MODULE.{sig,dig} \ xz $MODULE \ done \ %{nil} # __os_install_post strips signature from modules. We need to resign it again # and then compress. Extra step is added to the default __spec_install_post. %define __spec_install_post\ %{?__debug_package:%{__debug_install_post}}\ %{__arch_install_post}\ %{__os_install_post}\ %{__modules_install_post}\ %{nil} %install install -vdm 755 %{buildroot}/etc install -vdm 755 %{buildroot}/boot install -vdm 755 %{buildroot}%{_defaultdocdir}/linux-%{uname_r} install -vdm 755 %{buildroot}/usr/src/linux-headers-%{uname_r} make INSTALL_MOD_PATH=%{buildroot} modules_install # install LKCM module bldroot=`pwd` pushd ../LKCM make -C $bldroot M=`pwd` INSTALL_MOD_PATH=%{buildroot} modules_install popd cp -v arch/x86/boot/bzImage %{buildroot}/boot/vmlinuz-%{uname_r} cp -v System.map %{buildroot}/boot/System.map-%{uname_r} cp -v .config %{buildroot}/boot/config-%{uname_r} cp -r Documentation/* %{buildroot}%{_defaultdocdir}/linux-%{uname_r} install -vdm 755 %{buildroot}/usr/lib/debug/lib/modules/%{uname_r} cp -v vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux-%{uname_r} # Since we use compressed modules we cann't use load pinning, # because .ko files will be loaded from the memory (LoadPin: obj=) cat > %{buildroot}/boot/linux-%{uname_r}.cfg << "EOF" # GRUB Environment Block photon_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta loadpin.enabled=0 slub_debug=P page_poison=1 slab_nomerge photon_linux=vmlinuz-%{uname_r} photon_initrd=initrd.img-%{uname_r} EOF # Register myself to initramfs mkdir -p %{buildroot}/%{_localstatedir}/lib/initramfs/kernel cat > %{buildroot}/%{_localstatedir}/lib/initramfs/kernel/%{uname_r} << "EOF" --add-drivers "tmem xen-scsifront xen-blkfront xen-acpi-processor xen-evtchn xen-gntalloc xen-gntdev xen-privcmd xen-pciback xenfs hv_utils hv_vmbus hv_storvsc hv_netvsc hv_sock hv_balloon cn" EOF # cleanup dangling symlinks rm -f %{buildroot}/lib/modules/%{uname_r}/source rm -f %{buildroot}/lib/modules/%{uname_r}/build # create /use/src/linux-headers-*/ content find . -name Makefile* -o -name Kconfig* -o -name *.pl | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy find arch/x86/include include scripts -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy find $(find arch/x86 -name include -o -name scripts -type d) -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy find arch/x86/include Module.symvers include scripts -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy # copy .config manually to be where it's expected to be cp .config %{buildroot}/usr/src/linux-headers-%{uname_r} # symling to the build folder ln -sf /usr/src/linux-headers-%{uname_r} %{buildroot}/lib/modules/%{uname_r}/build %include %{SOURCE2} %post /sbin/depmod -a %{uname_r} ln -sf linux-%{uname_r}.cfg /boot/photon.cfg %post lkcm /sbin/depmod -a %{uname_r} %files %defattr(-,root,root) /boot/System.map-%{uname_r} /boot/config-%{uname_r} /boot/vmlinuz-%{uname_r} %config(noreplace) /boot/linux-%{uname_r}.cfg %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r} /lib/modules/* %exclude /lib/modules/%{uname_r}/build %exclude /usr/src %exclude /lib/modules/%{uname_r}/extra/fips_lkcm.ko.xz %files lkcm %defattr(-,root,root) /lib/modules/%{uname_r}/extra/fips_lkcm.ko.xz %files docs %defattr(-,root,root) %{_defaultdocdir}/linux-%{uname_r}/* %files devel %defattr(-,root,root) /lib/modules/%{uname_r}/build /usr/src/linux-headers-%{uname_r} %changelog * Tue Oct 30 2018 Srivatsa S. Bhat (VMware) 4.18.9-3 - Fix PAX randkstack and RAP plugin patches to avoid boot panic. * Mon Oct 22 2018 Srivatsa S. Bhat (VMware) 4.18.9-2 - Use updated steal time accounting patch. * Tue Sep 25 2018 Srivatsa S. Bhat 4.18.9-1 - Update to version 4.18.9 * Wed Sep 19 2018 Srivatsa S. Bhat 4.14.67-1 - Update to version 4.14.67 * Tue Sep 18 2018 Srivatsa S. Bhat 4.14.54-4 - Add rdrand-based RNG driver to enhance kernel entropy. * Sun Sep 02 2018 Srivatsa S. Bhat 4.14.54-3 - Add full retpoline support by building with retpoline-enabled gcc. * Thu Aug 30 2018 Srivatsa S. Bhat 4.14.54-2 - Apply out-of-tree patches needed for AppArmor. * Mon Jul 09 2018 Him Kalyan Bordoloi 4.14.54-1 - Update to version 4.14.54 * Mon Mar 19 2018 Alexey Makhalov 4.14.8-2 - Extra hardening: slab_nomerge and some .config changes * Fri Feb 16 2018 Alexey Makhalov 4.14.8-1 - Version update to v4.14 LTS. Drop aufs support. * Mon Dec 04 2017 Srivatsa S. Bhat 4.9.66-1 - Version update * Tue Nov 21 2017 Srivatsa S. Bhat 4.9.64-1 - Version update * Wed Nov 08 2017 Alexey Makhalov 4.9.60-2 - Update LKCM module - Add -lkcm subpackage * Mon Nov 06 2017 Srivatsa S. Bhat 4.9.60-1 - Version update * Wed Oct 11 2017 Srivatsa S. Bhat 4.9.53-3 - Add patch "KVM: Don't accept obviously wrong gsi values via - KVM_IRQFD" to fix CVE-2017-1000252. * Tue Oct 10 2017 Alexey Makhalov 4.9.53-2 - Build hang (at make oldconfig) fix. * Thu Oct 05 2017 Srivatsa S. Bhat 4.9.53-1 - Version update * Mon Oct 02 2017 Srivatsa S. Bhat 4.9.52-3 - Allow privileged CLONE_NEWUSER from nested user namespaces. * Mon Oct 02 2017 Srivatsa S. Bhat 4.9.52-2 - Fix CVE-2017-11472 (ACPICA: Namespace: fix operand cache leak) * Mon Oct 02 2017 Srivatsa S. Bhat 4.9.52-1 - Version update * Mon Sep 18 2017 Alexey Makhalov 4.9.47-2 - Requires coreutils or toybox * Mon Sep 04 2017 Alexey Makhalov 4.9.47-1 - Fix CVE-2017-11600 * Tue Aug 22 2017 Anish Swaminathan 4.9.43-2 - Add missing xen block drivers * Mon Aug 14 2017 Alexey Makhalov 4.9.43-1 - Version update - [feature] new sysctl option unprivileged_userns_clone * Wed Aug 09 2017 Alexey Makhalov 4.9.41-2 - Fix CVE-2017-7542 - [bugfix] Added ccm,gcm,ghash,lzo crypto modules to avoid - panic on modprobe tcrypt * Mon Aug 07 2017 Alexey Makhalov 4.9.41-1 - Version update * Fri Aug 04 2017 Bo Gan 4.9.38-6 - Fix initramfs triggers * Tue Aug 01 2017 Anish Swaminathan 4.9.38-5 - Allow some algorithms in FIPS mode - Reverts 284a0f6e87b0721e1be8bca419893902d9cf577a and backports - bcf741cb779283081db47853264cc94854e7ad83 in the kernel tree - Enable additional NF features * Fri Jul 21 2017 Anish Swaminathan 4.9.38-4 - Add patches in Hyperv codebase * Fri Jul 21 2017 Anish Swaminathan 4.9.38-3 - Add missing hyperv drivers * Thu Jul 20 2017 Alexey Makhalov 4.9.38-2 - Disable scheduler beef up patch * Tue Jul 18 2017 Alexey Makhalov 4.9.38-1 - Fix CVE-2017-11176 and CVE-2017-10911 * Fri Jul 14 2017 Alexey Makhalov 4.9.34-3 - Remove aufs source tarballs from git repo * Mon Jul 03 2017 Xiaolin Li 4.9.34-2 - Add libdnet-devel, kmod-devel and libmspack-devel to BuildRequires * Wed Jun 28 2017 Alexey Makhalov 4.9.34-1 - [feature] 9P FS security support - [feature] DM Delay target support - Fix CVE-2017-1000364 ("stack clash") and CVE-2017-9605 * Thu Jun 8 2017 Alexey Makhalov 4.9.31-1 - Fix CVE-2017-8890, CVE-2017-9074, CVE-2017-9075, CVE-2017-9076 - CVE-2017-9077 and CVE-2017-9242 - [feature] IPV6 netfilter NAT table support * Fri May 26 2017 Alexey Makhalov 4.9.30-1 - Fix CVE-2017-7487 and CVE-2017-9059 * Wed May 17 2017 Vinay Kulkarni 4.9.28-2 - Enable IPVLAN module. * Tue May 16 2017 Alexey Makhalov 4.9.28-1 - Version update * Wed May 10 2017 Alexey Makhalov 4.9.27-1 - Version update * Sun May 7 2017 Alexey Makhalov 4.9.26-1 - Version update - Removed version suffix from config file name * Thu Apr 27 2017 Bo Gan 4.9.24-2 - Support dynamic initrd generation * Tue Apr 25 2017 Alexey Makhalov 4.9.24-1 - Fix CVE-2017-6874 and CVE-2017-7618. - .config: build nvme and nvme-core in kernel. * Tue Mar 21 2017 Alexey Makhalov 4.9.13-3 - Added LKCM module * Mon Mar 6 2017 Alexey Makhalov 4.9.13-2 - .config: NSX requirements for crypto and netfilter * Tue Feb 28 2017 Alexey Makhalov 4.9.13-1 - Update to linux-4.9.13 to fix CVE-2017-5986 and CVE-2017-6074 - .config: disable XEN guest (needs rap_plugin verification) * Wed Feb 22 2017 Alexey Makhalov 4.9.9-2 - rap_plugin improvement: throw error on function type casting - function signatures were cleaned up using this feature. - Added RAP_ENTRY for asm functions. * Thu Feb 09 2017 Alexey Makhalov 4.9.9-1 - Update to linux-4.9.9 to fix CVE-2016-10153, CVE-2017-5546, - CVE-2017-5547, CVE-2017-5548 and CVE-2017-5576. - Added aufs support. - Added PAX_RANDKSTACK feature. - Extra func signatures cleanup to fix 1809717 and 1809722. - .config: added CRYPTO_FIPS support. * Tue Jan 10 2017 Alexey Makhalov 4.9.2-1 - Update to linux-4.9.2 to fix CVE-2016-10088 - Rename package to linux-secure. - Added KSPP cmdline params: slub_debug=P page_poison=1 * Mon Dec 19 2016 Xiaolin Li 4.9.0-2 - BuildRequires Linux-PAM-devel * Mon Dec 12 2016 Alexey Makhalov 4.9.0-1 - Update to linux-4.9.0 - Add paravirt stolen time accounting feature (from linux-esx), - but disable it by default (no-vmw-sta cmdline parameter) - Use vmware_io_delay() to keep "void fn(void)" signature * Wed Nov 30 2016 Alexey Makhalov 4.8.0-2 - Expand `uname -r` with release number - Resign and compress modules after stripping - .config: add syscalls tracing support - .config: add cgrup_hugetlb support - .config: add netfilter_xt_{set,target_ct} support - .config: add netfilter_xt_match_{cgroup,ipvs} support - .config: disable /dev/mem * Mon Oct 17 2016 Alexey Makhalov 4.8.0-1 - Initial commit.