diff options
| -rw-r--r-- | dashboard/config/upstream-apparmor.cmdline | 9 | ||||
| -rw-r--r-- | dashboard/config/upstream-selinux.cmdline (renamed from dashboard/config/upstream.cmdline) | 1 | ||||
| -rw-r--r-- | pkg/build/linux_generated.go | 1 | ||||
| -rwxr-xr-x | tools/create-gce-image.sh | 3 | ||||
| -rwxr-xr-x | tools/create-image.sh | 1 |
5 files changed, 10 insertions, 5 deletions
diff --git a/dashboard/config/upstream-apparmor.cmdline b/dashboard/config/upstream-apparmor.cmdline new file mode 100644 index 000000000..1a85912cb --- /dev/null +++ b/dashboard/config/upstream-apparmor.cmdline @@ -0,0 +1,9 @@ +security=apparmor +workqueue.watchdog_thresh=140 +kvm-intel.nested=1 +nf-conntrack-ftp.ports=20000 +nf-conntrack-tftp.ports=20000 +nf-conntrack-sip.ports=20000 +nf-conntrack-irc.ports=20000 +nf-conntrack-sane.ports=20000 +nopcid diff --git a/dashboard/config/upstream.cmdline b/dashboard/config/upstream-selinux.cmdline index b475f380a..fbfc9f6f9 100644 --- a/dashboard/config/upstream.cmdline +++ b/dashboard/config/upstream-selinux.cmdline @@ -1,3 +1,4 @@ +security=selinux workqueue.watchdog_thresh=140 kvm-intel.nested=1 nf-conntrack-ftp.ports=20000 diff --git a/pkg/build/linux_generated.go b/pkg/build/linux_generated.go index 11a00bba4..14df94954 100644 --- a/pkg/build/linux_generated.go +++ b/pkg/build/linux_generated.go @@ -67,7 +67,6 @@ for i in {0..31}; do echo "KERNEL==\"binder$i\", NAME=\"binder$i\", MODE=\"0666\"" | \ sudo tee -a disk.mnt/etc/udev/50-binder.rules done -echo 'SELINUX=disabled' | sudo tee disk.mnt/etc/selinux/config echo "kernel.printk = 7 4 1 3" | sudo tee -a disk.mnt/etc/sysctl.conf echo "debug.exception-trace = 0" | sudo tee -a disk.mnt/etc/sysctl.conf diff --git a/tools/create-gce-image.sh b/tools/create-gce-image.sh index 177c208ee..0db7fc065 100755 --- a/tools/create-gce-image.sh +++ b/tools/create-gce-image.sh @@ -108,9 +108,6 @@ for i in {0..31}; do echo "KERNEL==\"binder$i\", NAME=\"binder$i\", MODE=\"0666\"" | \ sudo tee -a disk.mnt/etc/udev/50-binder.rules done -# We disable selinux for now because the default policy on wheezy prevents -# mounting of cgroup2 (and stretch we don't know how to configure yet). -echo 'SELINUX=disabled' | sudo tee disk.mnt/etc/selinux/config # sysctls echo "kernel.printk = 7 4 1 3" | sudo tee -a disk.mnt/etc/sysctl.conf diff --git a/tools/create-image.sh b/tools/create-image.sh index a0ad610c8..91eb0a133 100755 --- a/tools/create-image.sh +++ b/tools/create-image.sh @@ -19,7 +19,6 @@ echo 'T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100' | sudo tee -a $DIR/etc/in printf '\nauto eth0\niface eth0 inet dhcp\n' | sudo tee -a $DIR/etc/network/interfaces echo 'debugfs /sys/kernel/debug debugfs defaults 0 0' | sudo tee -a $DIR/etc/fstab echo 'binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc defaults 0 0' | sudo tee -a $DIR/etc/fstab -echo 'SELINUX=disabled' | sudo tee $DIR/etc/selinux/config echo "kernel.printk = 7 4 1 3" | sudo tee -a $DIR/etc/sysctl.conf echo 'debug.exception-trace = 0' | sudo tee -a $DIR/etc/sysctl.conf echo "net.core.bpf_jit_enable = 1" | sudo tee -a $DIR/etc/sysctl.conf |