From 6d13bea472d8f90802aea5c9e2769fa7ac9218ba Mon Sep 17 00:00:00 2001 From: Phil Elwell Date: Tue, 1 Sep 2020 17:31:31 +0100 Subject: [PATCH] configs: Include AppArmor support AppArmor security has been a long-requested feature. This commit adds the config settings necessary to allow it to be enabled at boot time using the kernel command line (cmdline.txt) - just include: lsm="apparmor" The commit also includes a few settings to give better control over processes or containers. See: https://github.com/raspberrypi/linux/pull/1698 Signed-off-by: Jean-Christophe Berthon Signed-off-by: Phil Elwell --- arch/arm/configs/bcm2709_defconfig | 7 ++++++- arch/arm/configs/bcm2711_defconfig | 6 ++++++ arch/arm/configs/bcmrpi_defconfig | 8 +++++++- arch/arm64/configs/bcm2711_defconfig | 6 ++++++ arch/arm64/configs/bcmrpi3_defconfig | 8 +++++++- 5 files changed, 32 insertions(+), 3 deletions(-) diff --git a/arch/arm/configs/bcm2709_defconfig b/arch/arm/configs/bcm2709_defconfig index 8491865dbaf6f..d14d08879c302 100644 --- a/arch/arm/configs/bcm2709_defconfig +++ b/arch/arm/configs/bcm2709_defconfig @@ -16,11 +16,13 @@ CONFIG_IKCONFIG=m CONFIG_IKCONFIG_PROC=y CONFIG_MEMCG=y CONFIG_BLK_CGROUP=y +CONFIG_CFS_BANDWIDTH=y CONFIG_CGROUP_PIDS=y CONFIG_CGROUP_FREEZER=y CONFIG_CPUSETS=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PERF=y CONFIG_CGROUP_BPF=y CONFIG_NAMESPACES=y CONFIG_USER_NS=y @@ -390,6 +392,7 @@ CONFIG_NET_ACT_SKBEDIT=m CONFIG_NET_ACT_CSUM=m CONFIG_BATMAN_ADV=m CONFIG_OPENVSWITCH=m +CONFIG_CGROUP_NET_PRIO=y CONFIG_NET_PKTGEN=m CONFIG_HAMRADIO=y CONFIG_AX25=m @@ -1429,7 +1432,9 @@ CONFIG_NLS_ISO8859_15=m CONFIG_NLS_KOI8_R=m CONFIG_NLS_KOI8_U=m CONFIG_DLM=m -# CONFIG_SECURITYFS is not set +CONFIG_SECURITY=y +CONFIG_SECURITY_APPARMOR=y +CONFIG_LSM="" CONFIG_CRYPTO_USER=m CONFIG_CRYPTO_XCBC=m CONFIG_CRYPTO_TGR192=m diff --git a/arch/arm/configs/bcm2711_defconfig b/arch/arm/configs/bcm2711_defconfig index 28f2a46fcd10e..a69f5de2914e4 100644 --- a/arch/arm/configs/bcm2711_defconfig +++ b/arch/arm/configs/bcm2711_defconfig @@ -16,11 +16,13 @@ CONFIG_IKCONFIG=m CONFIG_IKCONFIG_PROC=y CONFIG_MEMCG=y CONFIG_BLK_CGROUP=y +CONFIG_CFS_BANDWIDTH=y CONFIG_CGROUP_PIDS=y CONFIG_CGROUP_FREEZER=y CONFIG_CPUSETS=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PERF=y CONFIG_CGROUP_BPF=y CONFIG_NAMESPACES=y CONFIG_USER_NS=y @@ -390,6 +392,7 @@ CONFIG_NET_ACT_SKBEDIT=m CONFIG_NET_ACT_CSUM=m CONFIG_BATMAN_ADV=m CONFIG_OPENVSWITCH=m +CONFIG_CGROUP_NET_PRIO=y CONFIG_NET_PKTGEN=m CONFIG_HAMRADIO=y CONFIG_AX25=m @@ -1462,6 +1465,9 @@ CONFIG_NLS_ISO8859_15=m CONFIG_NLS_KOI8_R=m CONFIG_NLS_KOI8_U=m CONFIG_DLM=m +CONFIG_SECURITY=y +CONFIG_SECURITY_APPARMOR=y +CONFIG_LSM="" CONFIG_CRYPTO_USER=m CONFIG_CRYPTO_XCBC=m CONFIG_CRYPTO_TGR192=m diff --git a/arch/arm/configs/bcmrpi_defconfig b/arch/arm/configs/bcmrpi_defconfig index 3550cc960cae9..fb2abd398acfa 100644 --- a/arch/arm/configs/bcmrpi_defconfig +++ b/arch/arm/configs/bcmrpi_defconfig @@ -15,9 +15,12 @@ CONFIG_IKCONFIG=m CONFIG_IKCONFIG_PROC=y CONFIG_MEMCG=y CONFIG_BLK_CGROUP=y +CONFIG_CFS_BANDWIDTH=y +CONFIG_CGROUP_PIDS=y CONFIG_CGROUP_FREEZER=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PERF=y CONFIG_CGROUP_BPF=y CONFIG_NAMESPACES=y CONFIG_USER_NS=y @@ -383,6 +386,7 @@ CONFIG_NET_ACT_SKBEDIT=m CONFIG_NET_ACT_CSUM=m CONFIG_BATMAN_ADV=m CONFIG_OPENVSWITCH=m +CONFIG_CGROUP_NET_PRIO=y CONFIG_NET_PKTGEN=m CONFIG_HAMRADIO=y CONFIG_AX25=m @@ -1437,7 +1441,9 @@ CONFIG_NLS_ISO8859_15=m CONFIG_NLS_KOI8_R=m CONFIG_NLS_KOI8_U=m CONFIG_DLM=m -# CONFIG_SECURITYFS is not set +CONFIG_SECURITY=y +CONFIG_SECURITY_APPARMOR=y +CONFIG_LSM="" CONFIG_CRYPTO_USER=m CONFIG_CRYPTO_CRYPTD=m CONFIG_CRYPTO_CBC=y diff --git a/arch/arm64/configs/bcm2711_defconfig b/arch/arm64/configs/bcm2711_defconfig index 425fb27c63172..01084e86d62aa 100644 --- a/arch/arm64/configs/bcm2711_defconfig +++ b/arch/arm64/configs/bcm2711_defconfig @@ -14,11 +14,13 @@ CONFIG_IKCONFIG=m CONFIG_IKCONFIG_PROC=y CONFIG_MEMCG=y CONFIG_BLK_CGROUP=y +CONFIG_CFS_BANDWIDTH=y CONFIG_CGROUP_PIDS=y CONFIG_CGROUP_FREEZER=y CONFIG_CPUSETS=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PERF=y CONFIG_CGROUP_BPF=y CONFIG_NAMESPACES=y CONFIG_USER_NS=y @@ -386,6 +388,7 @@ CONFIG_NET_ACT_SKBEDIT=m CONFIG_NET_ACT_CSUM=m CONFIG_BATMAN_ADV=m CONFIG_OPENVSWITCH=m +CONFIG_CGROUP_NET_PRIO=y CONFIG_NET_PKTGEN=m CONFIG_HAMRADIO=y CONFIG_AX25=m @@ -1456,6 +1459,9 @@ CONFIG_NLS_ISO8859_15=m CONFIG_NLS_KOI8_R=m CONFIG_NLS_KOI8_U=m CONFIG_DLM=m +CONFIG_SECURITY=y +CONFIG_SECURITY_APPARMOR=y +CONFIG_LSM="" CONFIG_CRYPTO_USER=m CONFIG_CRYPTO_XCBC=m CONFIG_CRYPTO_TGR192=m diff --git a/arch/arm64/configs/bcmrpi3_defconfig b/arch/arm64/configs/bcmrpi3_defconfig index c8630c8d38b21..8e89ab26a4081 100644 --- a/arch/arm64/configs/bcmrpi3_defconfig +++ b/arch/arm64/configs/bcmrpi3_defconfig @@ -15,10 +15,13 @@ CONFIG_IKCONFIG=m CONFIG_IKCONFIG_PROC=y CONFIG_MEMCG=y CONFIG_BLK_CGROUP=y +CONFIG_CFS_BANDWIDTH=y +CONFIG_CGROUP_PIDS=y CONFIG_CGROUP_FREEZER=y CONFIG_CPUSETS=y CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PERF=y CONFIG_CGROUP_BPF=y CONFIG_NAMESPACES=y CONFIG_USER_NS=y @@ -382,6 +385,7 @@ CONFIG_NET_ACT_SKBEDIT=m CONFIG_NET_ACT_CSUM=m CONFIG_BATMAN_ADV=m CONFIG_OPENVSWITCH=m +CONFIG_CGROUP_NET_PRIO=y CONFIG_NET_PKTGEN=m CONFIG_HAMRADIO=y CONFIG_AX25=m @@ -1307,7 +1311,9 @@ CONFIG_NLS_ISO8859_15=m CONFIG_NLS_KOI8_R=m CONFIG_NLS_KOI8_U=m CONFIG_DLM=m -# CONFIG_SECURITYFS is not set +CONFIG_SECURITY=y +CONFIG_SECURITY_APPARMOR=y +CONFIG_LSM="" CONFIG_CRYPTO_USER=m CONFIG_CRYPTO_XCBC=m CONFIG_CRYPTO_TGR192=m