[yocto] [meta-security][PATCH 4/4] linux-stable: add support for stable kernel bbappends

Armin Kuster akuster808 at gmail.com
Sun Mar 31 10:29:00 PDT 2019 

Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
 recipes-kernel/linux/linux-stable/apparmor.cfg    | 15 +++++++++++++++
 .../linux/linux-stable/apparmor_on_boot.cfg       |  1 +
 .../linux/linux-stable/smack-default-lsm.cfg      |  2 ++
 recipes-kernel/linux/linux-stable/smack.cfg       |  8 ++++++++
 recipes-kernel/linux/linux-stable_%.bbappend      | 11 +++++++++++
 5 files changed, 37 insertions(+)
 create mode 100644 recipes-kernel/linux/linux-stable/apparmor.cfg
 create mode 100644 recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg
 create mode 100644 recipes-kernel/linux/linux-stable/smack-default-lsm.cfg
 create mode 100644 recipes-kernel/linux/linux-stable/smack.cfg
 create mode 100644 recipes-kernel/linux/linux-stable_%.bbappend

diff --git a/recipes-kernel/linux/linux-stable/apparmor.cfg b/recipes-kernel/linux/linux-stable/apparmor.cfg
new file mode 100644
index 0000000..b5f9bb2
--- /dev/null
+++ b/recipes-kernel/linux/linux-stable/apparmor.cfg
@@ -0,0 +1,15 @@
+CONFIG_AUDIT=y
+# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
+CONFIG_SECURITY_NETWORK=y
+# CONFIG_SECURITY_NETWORK_XFRM is not set
+CONFIG_SECURITY_PATH=y
+# CONFIG_SECURITY_SELINUX is not set
+CONFIG_SECURITY_APPARMOR=y
+CONFIG_SECURITY_APPARMOR_HASH=y
+CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
+# CONFIG_SECURITY_APPARMOR_DEBUG is not set
+CONFIG_INTEGRITY_AUDIT=y
+CONFIG_DEFAULT_SECURITY_APPARMOR=y
+# CONFIG_DEFAULT_SECURITY_DAC is not set
+CONFIG_DEFAULT_SECURITY="apparmor"
+CONFIG_AUDIT_GENERIC=y
diff --git a/recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg b/recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg
new file mode 100644
index 0000000..fc35740
--- /dev/null
+++ b/recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg
@@ -0,0 +1 @@
+CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
diff --git a/recipes-kernel/linux/linux-stable/smack-default-lsm.cfg b/recipes-kernel/linux/linux-stable/smack-default-lsm.cfg
new file mode 100644
index 0000000..b5c4845
--- /dev/null
+++ b/recipes-kernel/linux/linux-stable/smack-default-lsm.cfg
@@ -0,0 +1,2 @@
+CONFIG_DEFAULT_SECURITY="smack"
+CONFIG_DEFAULT_SECURITY_SMACK=y
diff --git a/recipes-kernel/linux/linux-stable/smack.cfg b/recipes-kernel/linux/linux-stable/smack.cfg
new file mode 100644
index 0000000..62f465a
--- /dev/null
+++ b/recipes-kernel/linux/linux-stable/smack.cfg
@@ -0,0 +1,8 @@
+CONFIG_IP_NF_SECURITY=m
+CONFIG_IP6_NF_SECURITY=m
+CONFIG_EXT2_FS_SECURITY=y
+CONFIG_EXT3_FS_SECURITY=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_SECURITY=y
+CONFIG_SECURITY_SMACK=y
+CONFIG_TMPFS_XATTR=y
diff --git a/recipes-kernel/linux/linux-stable_%.bbappend b/recipes-kernel/linux/linux-stable_%.bbappend
new file mode 100644
index 0000000..321392c
--- /dev/null
+++ b/recipes-kernel/linux/linux-stable_%.bbappend
@@ -0,0 +1,11 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "\
+        ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \
+        ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor_on_boot.cfg', '', d)} \
+"
+
+SRC_URI += "\
+        ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg', '', d)} \
+        ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack-default-lsm.cfg', '', d)} \
+"
-- 
2.17.1

More information about the yocto mailing list