Enable nfsd v4 security label (#10605)

This is a security improvement. By turning on this config AZL3 provides security label support for NFSv4 server. This feature allows for fine grained security support for fine-grained security labels SELinux policies. Without this an NFSv4 mount will have the same label on each file.

Author: rlmenge

SPECS-SIGNED/kernel-signed/kernel-signed.spec

@@ -10,7 +10,7 @@
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
 Version:        6.6.51.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -145,6 +145,9 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /module_info.ld
 
 %changelog
+* Wed Oct 02 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.51.1-4
+- Bump release to match kernel
+
 * Tue Sep 24 2024 Jo Zzsi <jozzsicsataban@gmail.com> - 6.6.51.1-3
 - Bump release to match kernel
 

SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec

@@ -6,7 +6,7 @@
 Summary:        Signed Unified Kernel Image for %{buildarch} systems
 Name:           kernel-uki-signed-%{buildarch}
 Version:        6.6.51.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -68,6 +68,9 @@ popd
 /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
 
 %changelog
+* Wed Oct 02 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.51.1-4
+- Bump release to match kernel
+
 * Tue Sep 24 2024 Jo Zzsi <jozzsicsataban@gmail.com> - 6.6.51.1-3
 - Bump release to match kernel
 

SPECS/kernel-headers/kernel-headers.spec

@@ -14,7 +14,7 @@
 Summary:        Linux API header files
 Name:           kernel-headers
 Version:        6.6.51.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -75,6 +75,9 @@ done
 %endif
 
 %changelog
+* Wed Oct 02 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.51.1-4
+- Bump release to match kernel
+
 * Tue Sep 24 2024 Jo Zzsi <jozzsicsataban@gmail.com> - 6.6.51.1-3
 - Bump release to match kernel
 

SPECS/kernel/config

@@ -7209,7 +7209,7 @@ CONFIG_NFSD_BLOCKLAYOUT=y
 CONFIG_NFSD_SCSILAYOUT=y
 CONFIG_NFSD_FLEXFILELAYOUT=y
 # CONFIG_NFSD_V4_2_INTER_SSC is not set
-# CONFIG_NFSD_V4_SECURITY_LABEL is not set
+CONFIG_NFSD_V4_SECURITY_LABEL=y
 CONFIG_GRACE_PERIOD=m
 CONFIG_LOCKD=m
 CONFIG_LOCKD_V4=y

SPECS/kernel/config_aarch64

@@ -10266,7 +10266,7 @@ CONFIG_NFSD_BLOCKLAYOUT=y
 CONFIG_NFSD_SCSILAYOUT=y
 CONFIG_NFSD_FLEXFILELAYOUT=y
 # CONFIG_NFSD_V4_2_INTER_SSC is not set
-# CONFIG_NFSD_V4_SECURITY_LABEL is not set
+CONFIG_NFSD_V4_SECURITY_LABEL=y
 CONFIG_GRACE_PERIOD=m
 CONFIG_LOCKD=m
 CONFIG_LOCKD_V4=y

SPECS/kernel/kernel-uki.spec

@@ -18,7 +18,7 @@
 Summary:        Unified Kernel Image
 Name:           kernel-uki
 Version:        6.6.51.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -75,6 +75,9 @@ cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linu
 /boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
 
 %changelog
+* Wed Oct 02 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.51.1-4
+- Bump release to match kernel
+
 * Tue Sep 24 2024 Jo Zzsi <jozzsicsataban@gmail.com> - 6.6.51.1-3
 - Remove dbus from initrd
 

SPECS/kernel/kernel.signatures.json

@@ -1,8 +1,8 @@
 {
   "Signatures": {
     "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
-    "config": "e4fca2e2d948f3e0d88f41ec66d463b95ffdc1f4f096693bc5734a0ef7262c56",
-    "config_aarch64": "cc95198e3a70fa025f4ad78723d0e220a2a023edad31e89854d0e8ad84986209",
+    "config": "bd071455eff0bdd8c93c6cdec7590b05dfe26bfead60fe2df71c2c722af11404",
+    "config_aarch64": "c496a8275a29735e25105a86db16228e1bdde3d8ce7e0caa72d423b971d6cbda",
     "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",
     "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",
     "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",

SPECS/kernel/kernel.spec

@@ -30,7 +30,7 @@
 Summary:        Linux Kernel
 Name:           kernel
 Version:        6.6.51.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -407,6 +407,9 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Wed Oct 02 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.51.1-4
+- Enable nfsd v4 security label
+
 * Tue Sep 24 2024 Jo Zzsi <jozzsicsataban@gmail.com> - 6.6.51.1-3
 - UKI: remove dbus from initrd
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -1,5 +1,5 @@
 filesystem-1.1-21.azl3.aarch64.rpm
-kernel-headers-6.6.51.1-3.azl3.noarch.rpm
+kernel-headers-6.6.51.1-4.azl3.noarch.rpm
 glibc-2.38-8.azl3.aarch64.rpm
 glibc-devel-2.38-8.azl3.aarch64.rpm
 glibc-i18n-2.38-8.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -1,5 +1,5 @@
 filesystem-1.1-21.azl3.x86_64.rpm
-kernel-headers-6.6.51.1-3.azl3.noarch.rpm
+kernel-headers-6.6.51.1-4.azl3.noarch.rpm
 glibc-2.38-8.azl3.x86_64.rpm
 glibc-devel-2.38-8.azl3.x86_64.rpm
 glibc-i18n-2.38-8.azl3.x86_64.rpm