diff --git a/pmb/config/__init__.py b/pmb/config/__init__.py index 7a82aaba..61a28adc 100644 --- a/pmb/config/__init__.py +++ b/pmb/config/__init__.py @@ -332,6 +332,26 @@ necessary_kconfig_options_anbox = { } } +# Necessary apparmor kernel config options (mandatory access control) +# LSM: the value that "config LSM" sets in security/Kconfig, if +# DEFAULT_SECURITY_APPARMOR is set (and other DEFAULT_SECURITY_* are unset). +necessary_kconfig_options_apparmor = { + ">=0.0.0": { # all versions + "all": { # all arches + "AUDIT": True, + "DEFAULT_SECURITY_APPARMOR": True, + "LSM": "landlock,lockdown,yama,loadpin,safesetid,integrity," + "apparmor,selinux,smack,tomoyo,bpf", + "SECURITY_APPARMOR": True, + }, + }, + "<5.1": { + "all": { + "SECURITY_APPARMOR_BOOTPARAM_VALUE": True, + }, + }, +} + # Necessary nftables kernel config options necessary_kconfig_options_nftables = { ">=3.13.0": { # nftables support introduced here diff --git a/pmb/helpers/frontend.py b/pmb/helpers/frontend.py index ff393d31..57e4e659 100644 --- a/pmb/helpers/frontend.py +++ b/pmb/helpers/frontend.py @@ -403,6 +403,7 @@ def kconfig(args): if not pmb.parse.kconfig.check( args, package, force_anbox_check=args.anbox, + force_apparmor_check=args.apparmor, force_nftables_check=args.nftables, force_containers_check=args.containers, force_zram_check=args.zram, diff --git a/pmb/parse/arguments.py b/pmb/parse/arguments.py index 43ce1d67..d66194b2 100644 --- a/pmb/parse/arguments.py +++ b/pmb/parse/arguments.py @@ -434,6 +434,8 @@ def arguments_kconfig(subparser): " directly instead of a config in a package") check.add_argument("--anbox", action="store_true", help="check" " options needed for anbox too") + check.add_argument("--apparmor", action="store_true", help="check" + " options needed for apparmor too") check.add_argument("--nftables", action="store_true", help="check" " options needed for nftables too") check.add_argument("--containers", action="store_true", diff --git a/pmb/parse/kconfig.py b/pmb/parse/kconfig.py index fde653ba..347e8fce 100644 --- a/pmb/parse/kconfig.py +++ b/pmb/parse/kconfig.py @@ -86,6 +86,7 @@ def check_option(component, details, config, config_path_pretty, option, def check_config(config_path, config_path_pretty, config_arch, pkgver, anbox=False, + apparmor=False, nftables=False, containers=False, zram=False, @@ -97,6 +98,8 @@ def check_config(config_path, config_path_pretty, config_arch, pkgver, components = {"postmarketOS": pmb.config.necessary_kconfig_options} if anbox: components["anbox"] = pmb.config.necessary_kconfig_options_anbox + if apparmor: + components["apparmor"] = pmb.config.necessary_kconfig_options_apparmor if nftables: components["nftables"] = pmb.config.necessary_kconfig_options_nftables if containers: @@ -148,6 +151,7 @@ def check_config_options_set(config, config_path_pretty, config_arch, options, def check(args, pkgname, force_anbox_check=False, + force_apparmor_check=False, force_nftables_check=False, force_containers_check=False, force_zram_check=False, @@ -172,6 +176,8 @@ def check(args, pkgname, pkgver = apkbuild["pkgver"] check_anbox = force_anbox_check or ( "pmb:kconfigcheck-anbox" in apkbuild["options"]) + check_apparmor = force_apparmor_check or ( + "pmb:kconfigcheck-apparmor" in apkbuild["options"]) check_nftables = force_nftables_check or ( "pmb:kconfigcheck-nftables" in apkbuild["options"]) check_containers = force_containers_check or ( @@ -186,6 +192,7 @@ def check(args, pkgname, ret &= check_config(config_path, config_path_pretty, config_arch, pkgver, anbox=check_anbox, + apparmor=check_apparmor, nftables=check_nftables, containers=check_containers, zram=check_zram,