From e0c9cc8b81aab935522c9f7d563b1e1037d6c403 Mon Sep 17 00:00:00 2001 From: Enzo Venturi Date: Sat, 11 May 2024 20:28:30 -0500 Subject: [PATCH 1/8] add support for apparmor --- deploy/iso/minikube-iso/configs/minikube_aarch64_defconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deploy/iso/minikube-iso/configs/minikube_aarch64_defconfig b/deploy/iso/minikube-iso/configs/minikube_aarch64_defconfig index 3bc567b7f32f..363810cfc242 100644 --- a/deploy/iso/minikube-iso/configs/minikube_aarch64_defconfig +++ b/deploy/iso/minikube-iso/configs/minikube_aarch64_defconfig @@ -3,6 +3,7 @@ BR2_aarch64=y # Toolchain BR2_TOOLCHAIN_BUILDROOT_WCHAR=y +BR2_TOOLCHAIN_BUILDROOT_CXX=y # System BR2_SYSTEM_DHCP="eth0" @@ -114,3 +115,4 @@ BR2_PACKAGE_HOST_PYTHON=y BR2_PACKAGE_LIBFUSE=y BR2_PACKAGE_PAHOLE=y BR2_PACKAGE_TBB=y +BR2_PACKAGE_APPARMOR=y From a6103c879e8d9c52c49e4743058cb3ff5aca8b42 Mon Sep 17 00:00:00 2001 From: Enzo Venturi Date: Sat, 11 May 2024 20:34:37 -0500 Subject: [PATCH 2/8] Add Support For Apparmor (x86_64) #8299 --- deploy/iso/minikube-iso/configs/minikube_x86_64_defconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deploy/iso/minikube-iso/configs/minikube_x86_64_defconfig b/deploy/iso/minikube-iso/configs/minikube_x86_64_defconfig index 56219056f576..5f4360612fbb 100644 --- a/deploy/iso/minikube-iso/configs/minikube_x86_64_defconfig +++ b/deploy/iso/minikube-iso/configs/minikube_x86_64_defconfig @@ -3,6 +3,7 @@ BR2_x86_64=y # Toolchain BR2_TOOLCHAIN_BUILDROOT_WCHAR=y +BR2_TOOLCHAIN_BUILDROOT_CXX=y # System BR2_SYSTEM_DHCP="eth0" @@ -114,3 +115,4 @@ BR2_PACKAGE_HOST_PYTHON=y BR2_PACKAGE_LIBFUSE=y BR2_PACKAGE_PAHOLE=y BR2_PACKAGE_TBB=y +BR2_PACKAGE_APPARMOR=y From c66cc13bc7b4300edbe97e9a1677c2d64c063f8b Mon Sep 17 00:00:00 2001 From: Enzo Venturi Date: Sat, 11 May 2024 21:17:26 -0500 Subject: [PATCH 3/8] Add Support For Apparmor (aarch64) From 16527f5f492870ae0b74e9ef279baaabfffd0c94 Mon Sep 17 00:00:00 2001 From: minikube-bot Date: Mon, 20 May 2024 23:42:37 +0000 Subject: [PATCH 4/8] Updating ISO to v1.33.1-1716226929-18858 --- Makefile | 2 +- pkg/minikube/download/iso.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index a5bb239afdab..5eb372c10106 100644 --- a/Makefile +++ b/Makefile @@ -24,7 +24,7 @@ KIC_VERSION ?= $(shell grep -E "Version =" pkg/drivers/kic/types.go | cut -d \" HUGO_VERSION ?= $(shell grep -E "HUGO_VERSION = \"" netlify.toml | cut -d \" -f2) # Default to .0 for higher cache hit rates, as build increments typically don't require new ISO versions -ISO_VERSION ?= v1.33.1-1715968808-18896 +ISO_VERSION ?= v1.33.1-1716226929-18858 # Dashes are valid in semver, but not Linux packaging. Use ~ to delimit alpha/beta DEB_VERSION ?= $(subst -,~,$(RAW_VERSION)) diff --git a/pkg/minikube/download/iso.go b/pkg/minikube/download/iso.go index 09b515bfdc1e..0ecf676d900e 100644 --- a/pkg/minikube/download/iso.go +++ b/pkg/minikube/download/iso.go @@ -41,7 +41,7 @@ const fileScheme = "file" // DefaultISOURLs returns a list of ISO URL's to consult by default, in priority order func DefaultISOURLs() []string { v := version.GetISOVersion() - isoBucket := "minikube-builds/iso/18896" + isoBucket := "minikube-builds/iso/18858" return []string{ fmt.Sprintf("https://storage.googleapis.com/%s/minikube-%s-%s.iso", isoBucket, v, runtime.GOARCH), From 494ee1dc10f3d6ffea8808e9f337bd347663465f Mon Sep 17 00:00:00 2001 From: Enzo Venturi Date: Fri, 24 May 2024 15:44:36 -0500 Subject: [PATCH 5/8] iso: add apparmor kernel config Apparmor configured for aarch64 and x86_64 platforms, requiring activation via kernel parameters (e.g., via grub.cfg). Debug settings enabled for future apparmor issue resolution. --- .../board/minikube/aarch64/linux_aarch64_defconfig | 8 ++++++++ .../board/minikube/x86_64/linux_x86_64_defconfig | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/deploy/iso/minikube-iso/board/minikube/aarch64/linux_aarch64_defconfig b/deploy/iso/minikube-iso/board/minikube/aarch64/linux_aarch64_defconfig index 44ce8d5d8156..1cfc07388868 100644 --- a/deploy/iso/minikube-iso/board/minikube/aarch64/linux_aarch64_defconfig +++ b/deploy/iso/minikube-iso/board/minikube/aarch64/linux_aarch64_defconfig @@ -1284,3 +1284,11 @@ CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_MULTICAST=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_EXT4_FS_SECURITY=y +CONFIG_SECURITY_APPARMOR=y +CONFIG_SECURITY_APPARMOR_HASH=y +CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y +CONFIG_SECURITY_APPARMOR_DEBUG=y +CONFIG_SECURITY_APPARMOR_DEBUG_ASSERTS=y +CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES=y +# CONFIG_DEFAULT_SECURITY_APPARMOR is not set +CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" diff --git a/deploy/iso/minikube-iso/board/minikube/x86_64/linux_x86_64_defconfig b/deploy/iso/minikube-iso/board/minikube/x86_64/linux_x86_64_defconfig index 118d161e434a..4e24b00175ef 100644 --- a/deploy/iso/minikube-iso/board/minikube/x86_64/linux_x86_64_defconfig +++ b/deploy/iso/minikube-iso/board/minikube/x86_64/linux_x86_64_defconfig @@ -546,3 +546,11 @@ CONFIG_OPTIMIZE_INLINING=y CONFIG_FRAMEBUFFER_CONSOLE=y CONFIG_PROC_CHILDREN=y CONFIG_BINFMT_MISC=y +CONFIG_SECURITY_APPARMOR=y +CONFIG_SECURITY_APPARMOR_HASH=y +CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y +CONFIG_SECURITY_APPARMOR_DEBUG=y +CONFIG_SECURITY_APPARMOR_DEBUG_ASSERTS=y +CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES=y +# CONFIG_DEFAULT_SECURITY_APPARMOR is not set +CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" From e109ed0e07154022ee2b01beff17916a9ab59178 Mon Sep 17 00:00:00 2001 From: Enzo Venturi Date: Fri, 24 May 2024 16:09:09 -0500 Subject: [PATCH 6/8] iso: add apparmor utils and extra utils Added apparmor utilities and extra utilities to configurations for both aarch64 and x86_64 platforms. Apparmor utilities such as aa-status are helpful for exploring this LSM, while additional utilities require Perl and other dependencies, hopefully already enabled. --- deploy/iso/minikube-iso/configs/minikube_aarch64_defconfig | 5 +++++ deploy/iso/minikube-iso/configs/minikube_x86_64_defconfig | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/deploy/iso/minikube-iso/configs/minikube_aarch64_defconfig b/deploy/iso/minikube-iso/configs/minikube_aarch64_defconfig index 363810cfc242..9e6780f66f30 100644 --- a/deploy/iso/minikube-iso/configs/minikube_aarch64_defconfig +++ b/deploy/iso/minikube-iso/configs/minikube_aarch64_defconfig @@ -81,6 +81,8 @@ BR2_PACKAGE_XFSPROGS=y BR2_PACKAGE_PARTED=y BR2_PACKAGE_SYSSTAT=y BR2_PACKAGE_LUAJIT=y +BR2_PACKAGE_PERL=y +BR2_PACKAGE_PYTHON3=y BR2_PACKAGE_LZ4=y BR2_PACKAGE_LZ4_PROGS=y BR2_PACKAGE_CA_CERTIFICATES=y @@ -116,3 +118,6 @@ BR2_PACKAGE_LIBFUSE=y BR2_PACKAGE_PAHOLE=y BR2_PACKAGE_TBB=y BR2_PACKAGE_APPARMOR=y +BR2_PACKAGE_APPARMOR_BINUTILS=y +BR2_PACKAGE_APPARMOR_UTILS=y +BR2_PACKAGE_APPARMOR_UTILS_EXTRA=y diff --git a/deploy/iso/minikube-iso/configs/minikube_x86_64_defconfig b/deploy/iso/minikube-iso/configs/minikube_x86_64_defconfig index 5f4360612fbb..2ee420b29f07 100644 --- a/deploy/iso/minikube-iso/configs/minikube_x86_64_defconfig +++ b/deploy/iso/minikube-iso/configs/minikube_x86_64_defconfig @@ -81,6 +81,8 @@ BR2_PACKAGE_XFSPROGS=y BR2_PACKAGE_PARTED=y BR2_PACKAGE_SYSSTAT=y BR2_PACKAGE_LUAJIT=y +BR2_PACKAGE_PERL=y +BR2_PACKAGE_PYTHON3=y BR2_PACKAGE_LZ4=y BR2_PACKAGE_LZ4_PROGS=y BR2_PACKAGE_CA_CERTIFICATES=y @@ -116,3 +118,6 @@ BR2_PACKAGE_LIBFUSE=y BR2_PACKAGE_PAHOLE=y BR2_PACKAGE_TBB=y BR2_PACKAGE_APPARMOR=y +BR2_PACKAGE_APPARMOR_BINUTILS=y +BR2_PACKAGE_APPARMOR_UTILS=y +BR2_PACKAGE_APPARMOR_UTILS_EXTRA=y From 3841b3dbb23db592ce04f77de399bce274322dca Mon Sep 17 00:00:00 2001 From: minikube-bot Date: Sat, 25 May 2024 02:33:30 +0000 Subject: [PATCH 7/8] Updating ISO to v1.33.1-1716583330-18858 --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 09250ab755ce..1b1c05af6f19 100644 --- a/Makefile +++ b/Makefile @@ -24,7 +24,7 @@ KIC_VERSION ?= $(shell grep -E "Version =" pkg/drivers/kic/types.go | cut -d \" HUGO_VERSION ?= $(shell grep -E "HUGO_VERSION = \"" netlify.toml | cut -d \" -f2) # Default to .0 for higher cache hit rates, as build increments typically don't require new ISO versions -ISO_VERSION ?= v1.33.1-1716226929-18858 +ISO_VERSION ?= v1.33.1-1716583330-18858 # Dashes are valid in semver, but not Linux packaging. Use ~ to delimit alpha/beta DEB_VERSION ?= $(subst -,~,$(RAW_VERSION)) From 43bd765e0c769e0264c2beefa79498008e49fdd0 Mon Sep 17 00:00:00 2001 From: minikube-bot Date: Thu, 30 May 2024 05:02:42 +0000 Subject: [PATCH 8/8] Updating ISO to v1.33.1-1717022173-18858 --- Makefile | 2 +- pkg/minikube/download/iso.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index c7bb09fb9c4e..43d06499f2b4 100644 --- a/Makefile +++ b/Makefile @@ -24,7 +24,7 @@ KIC_VERSION ?= $(shell grep -E "Version =" pkg/drivers/kic/types.go | cut -d \" HUGO_VERSION ?= $(shell grep -E "HUGO_VERSION = \"" netlify.toml | cut -d \" -f2) # Default to .0 for higher cache hit rates, as build increments typically don't require new ISO versions -ISO_VERSION ?= v1.33.1-1716398070-18934 +ISO_VERSION ?= v1.33.1-1717022173-18858 # Dashes are valid in semver, but not Linux packaging. Use ~ to delimit alpha/beta DEB_VERSION ?= $(subst -,~,$(RAW_VERSION)) diff --git a/pkg/minikube/download/iso.go b/pkg/minikube/download/iso.go index 989c6ddcc225..0ecf676d900e 100644 --- a/pkg/minikube/download/iso.go +++ b/pkg/minikube/download/iso.go @@ -41,7 +41,7 @@ const fileScheme = "file" // DefaultISOURLs returns a list of ISO URL's to consult by default, in priority order func DefaultISOURLs() []string { v := version.GetISOVersion() - isoBucket := "minikube-builds/iso/18934" + isoBucket := "minikube-builds/iso/18858" return []string{ fmt.Sprintf("https://storage.googleapis.com/%s/minikube-%s-%s.iso", isoBucket, v, runtime.GOARCH),