From 71fd1532e9886795e7715dc7511338230f7fdb66 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Tue, 10 Nov 2015 17:37:13 -0800 Subject: [PATCH 1/2] coreos-kernel: update fs and security options - Switched overlay from built-in to a module. - Squashfs was missing xattr support, required for filesystem capabilities to work. ping should now work in PXE and ISO images. - We never switched to stackprotector string when we updated to GCC 4.9 - Enable extra credential and selinux checks (DEBUG_CREDENTIALS) - Enable RODATA and syn cookies on arm64. --- ...4.2.2-r5.ebuild => coreos-kernel-4.2.2-r6.ebuild} | 0 .../coreos-kernel/files/amd64_defconfig-4.2 | 7 +++++-- .../coreos-kernel/files/arm64_defconfig-4.2 | 12 ++++++++++-- 3 files changed, 15 insertions(+), 4 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.2.2-r5.ebuild => coreos-kernel-4.2.2-r6.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.2.2-r5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.2.2-r6.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.2.2-r5.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.2.2-r6.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.2 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.2 index 9404b5e0ed..92ec00edb5 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.2 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.2 @@ -36,7 +36,7 @@ CONFIG_EXPERT=y # CONFIG_COMPAT_BRK is not set CONFIG_PROFILING=y CONFIG_JUMP_LABEL=y -CONFIG_CC_STACKPROTECTOR_REGULAR=y +CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y CONFIG_MODULE_SIG=y @@ -856,7 +856,7 @@ CONFIG_QUOTA_NETLINK_INTERFACE=y CONFIG_QFMT_V2=m CONFIG_AUTOFS4_FS=m CONFIG_FUSE_FS=m -CONFIG_OVERLAY_FS=y +CONFIG_OVERLAY_FS=m CONFIG_ISO9660_FS=m CONFIG_JOLIET=y CONFIG_ZISOFS=y @@ -870,6 +870,8 @@ CONFIG_TMPFS_POSIX_ACL=y CONFIG_HUGETLBFS=y CONFIG_CONFIGFS_FS=m CONFIG_SQUASHFS=m +CONFIG_SQUASHFS_XATTR=y +CONFIG_SQUASHFS_LZ4=y CONFIG_SQUASHFS_LZO=y CONFIG_SQUASHFS_XZ=y CONFIG_NFS_FS=m @@ -914,6 +916,7 @@ CONFIG_PANIC_ON_OOPS=y CONFIG_PANIC_TIMEOUT=60 CONFIG_SCHED_STACK_END_CHECK=y CONFIG_TIMER_STATS=y +CONFIG_DEBUG_CREDENTIALS=y CONFIG_RCU_CPU_STALL_TIMEOUT=60 # CONFIG_RCU_CPU_STALL_INFO is not set CONFIG_LATENCYTOP=y diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.2 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.2 index ab05c5f7d9..d980d7dcac 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.2 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.2 @@ -33,6 +33,7 @@ CONFIG_KALLSYMS_ALL=y # CONFIG_COMPAT_BRK is not set CONFIG_PROFILING=y CONFIG_JUMP_LABEL=y +CONFIG_CC_STACKPROTECTOR_STRONG=y CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y # CONFIG_IOSCHED_DEADLINE is not set @@ -67,6 +68,7 @@ CONFIG_INET=y CONFIG_IP_PNP=y CONFIG_IP_PNP_DHCP=y CONFIG_IP_PNP_BOOTP=y +CONFIG_SYN_COOKIES=y # CONFIG_INET_LRO is not set CONFIG_IPV6=y CONFIG_NETFILTER=y @@ -199,13 +201,17 @@ CONFIG_QUOTA=y CONFIG_AUTOFS4_FS=y CONFIG_FUSE_FS=y CONFIG_CUSE=y -CONFIG_OVERLAY_FS=y +CONFIG_OVERLAY_FS=m CONFIG_VFAT_FS=y CONFIG_TMPFS=y CONFIG_TMPFS_POSIX_ACL=y CONFIG_HUGETLBFS=y CONFIG_EFIVAR_FS=y -# CONFIG_MISC_FILESYSTEMS is not set +CONFIG_SQUASHFS=m +CONFIG_SQUASHFS_XATTR=y +CONFIG_SQUASHFS_LZ4=y +CONFIG_SQUASHFS_LZO=y +CONFIG_SQUASHFS_XZ=y CONFIG_NFS_FS=y CONFIG_NFS_V4=y CONFIG_ROOT_NFS=y @@ -220,7 +226,9 @@ CONFIG_DEBUG_KERNEL=y CONFIG_LOCKUP_DETECTOR=y CONFIG_SCHEDSTATS=y # CONFIG_DEBUG_PREEMPT is not set +CONFIG_DEBUG_CREDENTIALS=y # CONFIG_FTRACE is not set +CONFIG_DEBUG_RODATA=y CONFIG_SECURITY=y CONFIG_CRYPTO_ANSI_CPRNG=y CONFIG_ARM64_CRYPTO=y From 58ea72b5127f98554291c02dfb687ef3b6d6d06b Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Wed, 11 Nov 2015 10:34:51 -0800 Subject: [PATCH 2/2] coreos-kernel: more security option updates - Enable RANDOMIZE_BASE, hopefully Xen is ok with this now. - Disable HIBERNATE/KEXEC_JUMP, we don't need these features. - Fix RO/NX settings in the arm64 kernel. --- ...os-kernel-4.2.2-r6.ebuild => coreos-kernel-4.2.2-r7.ebuild} | 0 .../sys-kernel/coreos-kernel/files/amd64_defconfig-4.2 | 3 +-- .../sys-kernel/coreos-kernel/files/arm64_defconfig-4.2 | 2 ++ 3 files changed, 3 insertions(+), 2 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.2.2-r6.ebuild => coreos-kernel-4.2.2-r7.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.2.2-r6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.2.2-r7.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.2.2-r6.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.2.2-r7.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.2 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.2 index 92ec00edb5..1504a9c537 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.2 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/amd64_defconfig-4.2 @@ -93,11 +93,10 @@ CONFIG_KEXEC_FILE=y CONFIG_KEXEC_VERIFY_SIG=y CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y CONFIG_CRASH_DUMP=y -CONFIG_KEXEC_JUMP=y +CONFIG_RANDOMIZE_BASE=y CONFIG_PHYSICAL_ALIGN=0x1000000 CONFIG_CMDLINE_BOOL=y CONFIG_CMDLINE="rootflags=rw mount.usrflags=ro" -CONFIG_HIBERNATION=y # CONFIG_ACPI_AC is not set # CONFIG_ACPI_BATTERY is not set CONFIG_ACPI_BUTTON=m diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.2 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.2 index d980d7dcac..b69047260d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.2 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/files/arm64_defconfig-4.2 @@ -228,7 +228,9 @@ CONFIG_SCHEDSTATS=y # CONFIG_DEBUG_PREEMPT is not set CONFIG_DEBUG_CREDENTIALS=y # CONFIG_FTRACE is not set +CONFIG_DEBUG_SET_MODULE_RONX=y CONFIG_DEBUG_RODATA=y +CONFIG_DEBUG_ALIGN_RODATA=y CONFIG_SECURITY=y CONFIG_CRYPTO_ANSI_CPRNG=y CONFIG_ARM64_CRYPTO=y