From aefe000bd0cef8ec465b5fc14a1985ebba1fa429 Mon Sep 17 00:00:00 2001 From: Konrad Eriksson Date: Sat, 23 Mar 2024 00:09:46 +0100 Subject: [PATCH] feat: configure kernel to include AppArmor LSM Enable AppArmor LSM. Signed-off-by: Noel Georgi --- kernel/build/config-amd64 | 14 +++++++++++--- kernel/build/config-arm64 | 14 +++++++++++--- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/kernel/build/config-amd64 b/kernel/build/config-amd64 index 5ece7a09..4d7dc159 100644 --- a/kernel/build/config-amd64 +++ b/kernel/build/config-amd64 @@ -5648,7 +5648,13 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SELINUX is not set # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set -# CONFIG_SECURITY_APPARMOR is not set +CONFIG_SECURITY_APPARMOR=y +# CONFIG_SECURITY_APPARMOR_DEBUG is not set +CONFIG_SECURITY_APPARMOR_INTROSPECT_POLICY=y +CONFIG_SECURITY_APPARMOR_HASH=y +CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y +CONFIG_SECURITY_APPARMOR_EXPORT_BINARY=y +CONFIG_SECURITY_APPARMOR_PARANOID_LOAD=y # CONFIG_SECURITY_LOADPIN is not set CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set @@ -5668,6 +5674,7 @@ CONFIG_INTEGRITY_AUDIT=y CONFIG_IMA=y # CONFIG_IMA_KEXEC is not set CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_LSM_RULES=y CONFIG_IMA_NG_TEMPLATE=y # CONFIG_IMA_SIG_TEMPLATE is not set CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" @@ -5689,8 +5696,9 @@ CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y # CONFIG_IMA_DISABLE_HTABLE is not set # CONFIG_EVM is not set +# CONFIG_DEFAULT_SECURITY_APPARMOR is not set CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_LSM="yama,loadpin,safesetid,integrity,bpf" +CONFIG_LSM="yama,loadpin,safesetid,integrity,bpf,apparmor" # # Kernel hardening options @@ -6058,7 +6066,7 @@ CONFIG_ZLIB_DEFLATE=y CONFIG_LZO_COMPRESS=y CONFIG_LZO_DECOMPRESS=y CONFIG_ZSTD_COMMON=y -CONFIG_ZSTD_COMPRESS=m +CONFIG_ZSTD_COMPRESS=y CONFIG_ZSTD_DECOMPRESS=y CONFIG_XZ_DEC=y CONFIG_XZ_DEC_X86=y diff --git a/kernel/build/config-arm64 b/kernel/build/config-arm64 index a683739e..c0a0404e 100644 --- a/kernel/build/config-arm64 +++ b/kernel/build/config-arm64 @@ -8288,7 +8288,13 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_SELINUX is not set # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set -# CONFIG_SECURITY_APPARMOR is not set +CONFIG_SECURITY_APPARMOR=y +# CONFIG_SECURITY_APPARMOR_DEBUG is not set +CONFIG_SECURITY_APPARMOR_INTROSPECT_POLICY=y +CONFIG_SECURITY_APPARMOR_HASH=y +CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y +CONFIG_SECURITY_APPARMOR_EXPORT_BINARY=y +CONFIG_SECURITY_APPARMOR_PARANOID_LOAD=y # CONFIG_SECURITY_LOADPIN is not set CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set @@ -8308,6 +8314,7 @@ CONFIG_INTEGRITY_AUDIT=y CONFIG_IMA=y # CONFIG_IMA_KEXEC is not set CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_LSM_RULES=y CONFIG_IMA_NG_TEMPLATE=y # CONFIG_IMA_SIG_TEMPLATE is not set CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" @@ -8329,8 +8336,9 @@ CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y # CONFIG_IMA_DISABLE_HTABLE is not set # CONFIG_EVM is not set +# CONFIG_DEFAULT_SECURITY_APPARMOR is not set CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_LSM="yama,loadpin,safesetid,integrity,bpf" +CONFIG_LSM="yama,loadpin,safesetid,integrity,bpf,apparmor" # # Kernel hardening options @@ -8732,7 +8740,7 @@ CONFIG_LZO_COMPRESS=y CONFIG_LZO_DECOMPRESS=y CONFIG_LZ4_DECOMPRESS=y CONFIG_ZSTD_COMMON=y -CONFIG_ZSTD_COMPRESS=m +CONFIG_ZSTD_COMPRESS=y CONFIG_ZSTD_DECOMPRESS=y CONFIG_XZ_DEC=y CONFIG_XZ_DEC_X86=y