[yocto] [meta-security][PATCH 2/2] smack kernel: add smack kernel config fragments

Patrick Ohly patrick.ohly at intel.com
Thu Oct 27 00:22:27 PDT 2016 

On Wed, 2016-10-26 at 08:00 -0700, Armin Kuster wrote:
> Signed-off-by: Armin Kuster <akuster808 at gmail.com>
> ---
>  recipes-kernel/linux/linux-yocto-4.8/smack-default-lsm.cfg | 2 ++
>  recipes-kernel/linux/linux-yocto-4.8/smack.cfg             | 8 ++++++++
>  recipes-kernel/linux/linux-yocto_4.8.bbappend              | 5 +++++
>  3 files changed, 15 insertions(+)
>  create mode 100644 recipes-kernel/linux/linux-yocto-4.8/smack-default-lsm.cfg
>  create mode 100644 recipes-kernel/linux/linux-yocto-4.8/smack.cfg
> 
> diff --git a/recipes-kernel/linux/linux-yocto-4.8/smack-default-lsm.cfg b/recipes-kernel/linux/linux-yocto-4.8/smack-default-lsm.cfg
> new file mode 100644
> index 0000000..b5c4845
> --- /dev/null
> +++ b/recipes-kernel/linux/linux-yocto-4.8/smack-default-lsm.cfg
> @@ -0,0 +1,2 @@
> +CONFIG_DEFAULT_SECURITY="smack"
> +CONFIG_DEFAULT_SECURITY_SMACK=y
> diff --git a/recipes-kernel/linux/linux-yocto-4.8/smack.cfg b/recipes-kernel/linux/linux-yocto-4.8/smack.cfg
> new file mode 100644
> index 0000000..62f465a
> --- /dev/null
> +++ b/recipes-kernel/linux/linux-yocto-4.8/smack.cfg
> @@ -0,0 +1,8 @@
> +CONFIG_IP_NF_SECURITY=m
> +CONFIG_IP6_NF_SECURITY=m
> +CONFIG_EXT2_FS_SECURITY=y
> +CONFIG_EXT3_FS_SECURITY=y
> +CONFIG_EXT4_FS_SECURITY=y
> +CONFIG_SECURITY=y
> +CONFIG_SECURITY_SMACK=y
> +CONFIG_TMPFS_XATTR=y

Were these two files perhaps copied from
https://github.com/01org/meta-intel-iot-security/tree/master/meta-security-smack/recipes-kernel/linux/linux ?

Just wondering, they look, hmm, very familiar ;-)

Can you say a bit more about your plans regarding Smack support in
meta-security? A recipe for the userspace tool and the kernel config is
a start, but for a fully functional Smack-enabled image, the rootfs also
needs to be set up a bit differently.

I can imagine that it would be worthwhile to take more of the things
done in meta-intel-iot-security and then deprecate that layer.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

More information about the yocto mailing list