From 67b5ba4bf028b30784c1bd0b460d928c50bfaaa4 Mon Sep 17 00:00:00 2001 From: rlmenge Date: Thu, 4 Aug 2022 13:19:38 -0700 Subject: [PATCH] kernel: turn on landlock (#3484) --- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 5 ++++- SPECS/kernel-headers/kernel-headers.spec | 5 ++++- SPECS/kernel/config | 4 ++-- SPECS/kernel/config_aarch64 | 4 ++-- SPECS/kernel/kernel.signatures.json | 4 ++-- SPECS/kernel/kernel.spec | 5 ++++- toolkit/resources/manifests/package/pkggen_core_aarch64.txt | 2 +- toolkit/resources/manifests/package/pkggen_core_x86_64.txt | 2 +- toolkit/resources/manifests/package/toolchain_aarch64.txt | 2 +- toolkit/resources/manifests/package/toolchain_x86_64.txt | 2 +- 10 files changed, 22 insertions(+), 13 deletions(-) diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index 760685ecb7..13ab329461 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -10,7 +10,7 @@ Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} Version: 5.15.57.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -153,6 +153,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %exclude /module_info.ld %changelog +* Tue Aug 02 2022 Rachel Menge - 5.15.57.1-3 +- Bump release number to match kernel release + * Mon Aug 01 2022 Rachel Menge - 5.15.57.1-2 - Bump release number to match kernel release diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 1a26b48bb7..d6f0a7f608 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -1,7 +1,7 @@ Summary: Linux API header files Name: kernel-headers Version: 5.15.57.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -36,6 +36,9 @@ cp -rv usr/include/* /%{buildroot}%{_includedir} %{_includedir}/* %changelog +* Tue Aug 02 2022 Rachel Menge - 5.15.57.1-3 +- Bump release number to match kernel release + * Mon Aug 01 2022 Rachel Menge - 5.15.57.1-2 - Bump release number to match kernel release diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 5c7edd8270..f1472f513f 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -6773,7 +6773,7 @@ CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set -# CONFIG_SECURITY_LANDLOCK is not set +CONFIG_SECURITY_LANDLOCK=y CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set CONFIG_INTEGRITY_AUDIT=y @@ -6798,7 +6798,7 @@ CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y # CONFIG_DEFAULT_SECURITY_SELINUX is not set CONFIG_DEFAULT_SECURITY_APPARMOR=y # CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,tomoyo" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,tomoyo" # # Kernel hardening options diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index e99c934c8c..2826666d71 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -8954,7 +8954,7 @@ CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set -# CONFIG_SECURITY_LANDLOCK is not set +CONFIG_SECURITY_LANDLOCK=y CONFIG_INTEGRITY=y # CONFIG_INTEGRITY_SIGNATURE is not set CONFIG_INTEGRITY_AUDIT=y @@ -8980,7 +8980,7 @@ CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y # CONFIG_DEFAULT_SECURITY_SELINUX is not set CONFIG_DEFAULT_SECURITY_APPARMOR=y # CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,tomoyo" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,tomoyo" # # Kernel hardening options diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index ba9ef667e2..3218968342 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,8 +1,8 @@ { "Signatures": { "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0", - "config": "a62487f734129283b6ac8d39bc9904d281af8ed59741dd7f412fb37e7544a715", - "config_aarch64": "7cd37ede6cd4af979c4ac4a42054c8093e309d776a113f47c1ba0f71d5fb2645", + "config": "fe08d6d95149bc0be3a3b890d50e617751a2d9a2a62634e27299d13fb9773303", + "config_aarch64": "744a209729a6adb0d254fd62c6487d07d610e417c0c1a7730129481985508249", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", "kernel-5.15.57.1.tar.gz": "010bbb79b84d9df58a1b8d3198d46466d9d042e3fb2fe24b7b9ef10c109449a8" } diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 8debee4e09..79be794b4f 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -18,7 +18,7 @@ Summary: Linux Kernel Name: kernel Version: 5.15.57.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -391,6 +391,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Tue Aug 02 2022 Rachel Menge - 5.15.57.1-3 +- Turn on CONFIG_SECURITY_LANDLOCK + * Mon Aug 01 2022 Rachel Menge - 5.15.57.1-2 - Turn on CONFIG_BLK_DEV_ZONED diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index ef5b2ea9fd..92388bbdd0 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-10.cm2.aarch64.rpm -kernel-headers-5.15.57.1-2.cm2.noarch.rpm +kernel-headers-5.15.57.1-3.cm2.noarch.rpm glibc-2.35-2.cm2.aarch64.rpm glibc-devel-2.35-2.cm2.aarch64.rpm glibc-i18n-2.35-2.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 25d4ee5ffb..92e0143199 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-10.cm2.x86_64.rpm -kernel-headers-5.15.57.1-2.cm2.noarch.rpm +kernel-headers-5.15.57.1-3.cm2.noarch.rpm glibc-2.35-2.cm2.x86_64.rpm glibc-devel-2.35-2.cm2.x86_64.rpm glibc-i18n-2.35-2.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 1698d25e21..8c9f66fcfb 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -131,7 +131,7 @@ intltool-0.51.0-7.cm2.noarch.rpm itstool-2.0.6-4.cm2.noarch.rpm kbd-2.2.0-1.cm2.aarch64.rpm kbd-debuginfo-2.2.0-1.cm2.aarch64.rpm -kernel-headers-5.15.57.1-2.cm2.noarch.rpm +kernel-headers-5.15.57.1-3.cm2.noarch.rpm kmod-29-1.cm2.aarch64.rpm kmod-debuginfo-29-1.cm2.aarch64.rpm kmod-devel-29-1.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index f1e542f2cb..60a1e0c108 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -131,7 +131,7 @@ intltool-0.51.0-7.cm2.noarch.rpm itstool-2.0.6-4.cm2.noarch.rpm kbd-2.2.0-1.cm2.x86_64.rpm kbd-debuginfo-2.2.0-1.cm2.x86_64.rpm -kernel-headers-5.15.57.1-2.cm2.noarch.rpm +kernel-headers-5.15.57.1-3.cm2.noarch.rpm kmod-29-1.cm2.x86_64.rpm kmod-debuginfo-29-1.cm2.x86_64.rpm kmod-devel-29-1.cm2.x86_64.rpm