diff --git a/Dockerfile.dapper b/Dockerfile.dapper index 7b7443c..85a8b6e 100644 --- a/Dockerfile.dapper +++ b/Dockerfile.dapper @@ -1,7 +1,7 @@ FROM ubuntu:14.04 RUN apt-get update && \ - apt-get install -y build-essential wget libncurses5-dev unzip bc curl python rsync ccache git vim + apt-get install -y build-essential wget libncurses5-dev unzip bc curl python rsync ccache git vim libssl-dev RUN locale-gen en_US.UTF-8 ENV LANG en_US.UTF-8 diff --git a/config/kernel-config b/config/kernel-config index b1e8dcd..5cc32cc 100644 --- a/config/kernel-config +++ b/config/kernel-config @@ -75,8 +75,11 @@ CONFIG_POSIX_MQUEUE_SYSCTL=y CONFIG_CROSS_MEMORY_ATTACH=y CONFIG_FHANDLE=y CONFIG_USELIB=y -# CONFIG_AUDIT is not set +CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y +CONFIG_AUDITSYSCALL=y +CONFIG_AUDIT_WATCH=y +CONFIG_AUDIT_TREE=y # # IRQ subsystem @@ -841,6 +844,7 @@ CONFIG_IPV6_SUBTREES=y CONFIG_IPV6_MROUTE=y CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y CONFIG_IPV6_PIMSM_V2=y +# CONFIG_NETLABEL is not set CONFIG_NETWORK_SECMARK=y CONFIG_NET_PTP_CLASSIFY=y CONFIG_NETWORK_PHY_TIMESTAMPING=y @@ -928,6 +932,7 @@ CONFIG_NETFILTER_XT_SET=m # # Xtables targets # +# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m CONFIG_NETFILTER_XT_TARGET_CONNMARK=m @@ -1100,6 +1105,7 @@ CONFIG_IP_NF_TARGET_CLUSTERIP=m CONFIG_IP_NF_TARGET_ECN=m CONFIG_IP_NF_TARGET_TTL=m CONFIG_IP_NF_RAW=m +# CONFIG_IP_NF_SECURITY is not set CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m @@ -1135,6 +1141,7 @@ CONFIG_IP6_NF_TARGET_REJECT=m CONFIG_IP6_NF_TARGET_SYNPROXY=m CONFIG_IP6_NF_MANGLE=m CONFIG_IP6_NF_RAW=m +# CONFIG_IP6_NF_SECURITY is not set CONFIG_IP6_NF_NAT=m CONFIG_IP6_NF_TARGET_MASQUERADE=m CONFIG_IP6_NF_TARGET_NPT=m @@ -3678,6 +3685,7 @@ CONFIG_FSNOTIFY=y CONFIG_DNOTIFY=y CONFIG_INOTIFY_USER=y CONFIG_FANOTIFY=y +# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set CONFIG_QUOTA=y CONFIG_QUOTA_NETLINK_INTERFACE=y # CONFIG_PRINT_QUOTA_WARNING is not set @@ -3793,6 +3801,7 @@ CONFIG_PNFS_BLOCK=m CONFIG_PNFS_FLEXFILE_LAYOUT=m CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org" # CONFIG_NFS_V4_1_MIGRATION is not set +CONFIG_NFS_V4_SECURITY_LABEL=y # CONFIG_NFS_FSCACHE is not set # CONFIG_NFS_USE_LEGACY_DNS is not set CONFIG_NFS_USE_KERNEL_DNS=y @@ -3803,6 +3812,7 @@ CONFIG_NFSD_V3=y CONFIG_NFSD_V3_ACL=y CONFIG_NFSD_V4=y # CONFIG_NFSD_PNFS is not set +# CONFIG_NFSD_V4_SECURITY_LABEL is not set # CONFIG_NFSD_FAULT_INJECTION is not set CONFIG_GRACE_PERIOD=m CONFIG_LOCKD=m @@ -4118,11 +4128,33 @@ CONFIG_KEYS=y # CONFIG_BIG_KEYS is not set # CONFIG_ENCRYPTED_KEYS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set -# CONFIG_SECURITY is not set -# CONFIG_SECURITYFS is not set +CONFIG_SECURITY=y +CONFIG_SECURITYFS=y +CONFIG_SECURITY_NETWORK=y +# CONFIG_SECURITY_NETWORK_XFRM is not set +# CONFIG_SECURITY_PATH is not set # CONFIG_INTEL_TXT is not set -CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_DEFAULT_SECURITY="" +CONFIG_LSM_MMAP_MIN_ADDR=65536 +CONFIG_SECURITY_SELINUX=y +CONFIG_SECURITY_SELINUX_BOOTPARAM=y +CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 +CONFIG_SECURITY_SELINUX_DISABLE=y +CONFIG_SECURITY_SELINUX_DEVELOP=y +CONFIG_SECURITY_SELINUX_AVC_STATS=y +CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 +# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set +# CONFIG_SECURITY_SMACK is not set +# CONFIG_SECURITY_TOMOYO is not set +# CONFIG_SECURITY_APPARMOR is not set +# CONFIG_SECURITY_YAMA is not set +CONFIG_INTEGRITY=y +# CONFIG_INTEGRITY_SIGNATURE is not set +CONFIG_INTEGRITY_AUDIT=y +# CONFIG_IMA is not set +# CONFIG_EVM is not set +CONFIG_DEFAULT_SECURITY_SELINUX=y +# CONFIG_DEFAULT_SECURITY_DAC is not set +CONFIG_DEFAULT_SECURITY="selinux" CONFIG_XOR_BLOCKS=m CONFIG_ASYNC_CORE=m CONFIG_ASYNC_MEMCPY=m diff --git a/scripts/build-common b/scripts/build-common index e3345e4..e095579 100644 --- a/scripts/build-common +++ b/scripts/build-common @@ -1,8 +1,8 @@ #!/bin/bash set -e -: ${KERNEL_URL:="https://github.com/rancher/linux/archive/Ubuntu-4.2.0-28.33-rancher.tar.gz"} -: ${KERNEL_SHA1:="2cf7bf21f84570dc337bfa4eed43570a32e312a4"} +: ${KERNEL_URL:="https://github.com/rancher/linux/archive/SELinux-4.4.2-rancher.tar.gz"} +: ${KERNEL_SHA1:="2f9793e98e2548558712e16feccc78e72886a825"} : ${ARTIFACTS:=$(pwd)/assets} : ${BUILD:=/usr/src} : ${CONFIG:=$(pwd)/config}