[yocto] [meta-security][PATCH 3/4] linux-yocto: make bbappend version neutral

akuster808 akuster808 at gmail.com
Sun Mar 31 12:35:33 PDT 2019



On 3/31/19 10:59 AM, Adrian Bunk wrote:
> On Sun, Mar 31, 2019 at 10:28:59AM -0700, Armin Kuster wrote:
>> update apparmor configs
>>
>> Signed-off-by: Armin Kuster <akuster808 at gmail.com>
>> ---
>>  recipes-kernel/linux/linux-yocto/apparmor.cfg        | 12 +++++++-----
>>  .../linux/linux-yocto/apparmor_on_boot.cfg           |  1 +
>>  ...nux-yocto_4.%.bbappend => linux-yocto_%.bbappend} |  1 +
>>  3 files changed, 9 insertions(+), 5 deletions(-)
>>  create mode 100644 recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
>>  rename recipes-kernel/linux/{linux-yocto_4.%.bbappend => linux-yocto_%.bbappend} (78%)
>>
>> diff --git a/recipes-kernel/linux/linux-yocto/apparmor.cfg b/recipes-kernel/linux/linux-yocto/apparmor.cfg
>> index 1dc4168..b5f9bb2 100644
>> --- a/recipes-kernel/linux/linux-yocto/apparmor.cfg
>> +++ b/recipes-kernel/linux/linux-yocto/apparmor.cfg
>> @@ -1,13 +1,15 @@
>>  CONFIG_AUDIT=y
>> -CONFIG_AUDITSYSCALL=y
>> -CONFIG_AUDIT_WATCH=y
>> -CONFIG_AUDIT_TREE=y
>>  # CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
>> +CONFIG_SECURITY_NETWORK=y
>> +# CONFIG_SECURITY_NETWORK_XFRM is not set
>>  CONFIG_SECURITY_PATH=y
>>  # CONFIG_SECURITY_SELINUX is not set
>>  CONFIG_SECURITY_APPARMOR=y
>> -CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>>  CONFIG_SECURITY_APPARMOR_HASH=y
>>  CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
>> +# CONFIG_SECURITY_APPARMOR_DEBUG is not set
>>  CONFIG_INTEGRITY_AUDIT=y
>> -# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
>> +CONFIG_DEFAULT_SECURITY_APPARMOR=y
>> +# CONFIG_DEFAULT_SECURITY_DAC is not set
>> +CONFIG_DEFAULT_SECURITY="apparmor"
>> +CONFIG_AUDIT_GENERIC=y
>> diff --git a/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg b/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
>> new file mode 100644
>> index 0000000..fc35740
>> --- /dev/null
>> +++ b/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
>> @@ -0,0 +1 @@
>> +CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>> ...
> This and some of the other touched options are removed in kernel 5.1, 
> replaced with a different CONFIG_LSM mechanism.
Ah, 5.1... good point.. .

At some point I really should get these in the kernel-cache.

thanks for the review.

- armin
>
> cu
> Adrian
>



More information about the yocto mailing list