pmbootstrap kconfig check: add apparmor check (MR 2133)
SECURITY_APPARMOR_BOOTPARAM_VALUE was required to enable it by default until 5.1 where the option was removed. Related: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0102fb83f90050b86ce37aec810ea17bb4448e0c Related: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/Kconfig?id=fe91c4725aeed35023ba4f7a1e1adfebb6878c23#n285
This commit is contained in:
parent
dcedc4bc1f
commit
93e7a1d876
|
@ -332,6 +332,26 @@ necessary_kconfig_options_anbox = {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Necessary apparmor kernel config options (mandatory access control)
|
||||||
|
# LSM: the value that "config LSM" sets in security/Kconfig, if
|
||||||
|
# DEFAULT_SECURITY_APPARMOR is set (and other DEFAULT_SECURITY_* are unset).
|
||||||
|
necessary_kconfig_options_apparmor = {
|
||||||
|
">=0.0.0": { # all versions
|
||||||
|
"all": { # all arches
|
||||||
|
"AUDIT": True,
|
||||||
|
"DEFAULT_SECURITY_APPARMOR": True,
|
||||||
|
"LSM": "landlock,lockdown,yama,loadpin,safesetid,integrity,"
|
||||||
|
"apparmor,selinux,smack,tomoyo,bpf",
|
||||||
|
"SECURITY_APPARMOR": True,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
"<5.1": {
|
||||||
|
"all": {
|
||||||
|
"SECURITY_APPARMOR_BOOTPARAM_VALUE": True,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
# Necessary nftables kernel config options
|
# Necessary nftables kernel config options
|
||||||
necessary_kconfig_options_nftables = {
|
necessary_kconfig_options_nftables = {
|
||||||
">=3.13.0": { # nftables support introduced here
|
">=3.13.0": { # nftables support introduced here
|
||||||
|
|
|
@ -403,6 +403,7 @@ def kconfig(args):
|
||||||
if not pmb.parse.kconfig.check(
|
if not pmb.parse.kconfig.check(
|
||||||
args, package,
|
args, package,
|
||||||
force_anbox_check=args.anbox,
|
force_anbox_check=args.anbox,
|
||||||
|
force_apparmor_check=args.apparmor,
|
||||||
force_nftables_check=args.nftables,
|
force_nftables_check=args.nftables,
|
||||||
force_containers_check=args.containers,
|
force_containers_check=args.containers,
|
||||||
force_zram_check=args.zram,
|
force_zram_check=args.zram,
|
||||||
|
|
|
@ -434,6 +434,8 @@ def arguments_kconfig(subparser):
|
||||||
" directly instead of a config in a package")
|
" directly instead of a config in a package")
|
||||||
check.add_argument("--anbox", action="store_true", help="check"
|
check.add_argument("--anbox", action="store_true", help="check"
|
||||||
" options needed for anbox too")
|
" options needed for anbox too")
|
||||||
|
check.add_argument("--apparmor", action="store_true", help="check"
|
||||||
|
" options needed for apparmor too")
|
||||||
check.add_argument("--nftables", action="store_true", help="check"
|
check.add_argument("--nftables", action="store_true", help="check"
|
||||||
" options needed for nftables too")
|
" options needed for nftables too")
|
||||||
check.add_argument("--containers", action="store_true",
|
check.add_argument("--containers", action="store_true",
|
||||||
|
|
|
@ -86,6 +86,7 @@ def check_option(component, details, config, config_path_pretty, option,
|
||||||
|
|
||||||
def check_config(config_path, config_path_pretty, config_arch, pkgver,
|
def check_config(config_path, config_path_pretty, config_arch, pkgver,
|
||||||
anbox=False,
|
anbox=False,
|
||||||
|
apparmor=False,
|
||||||
nftables=False,
|
nftables=False,
|
||||||
containers=False,
|
containers=False,
|
||||||
zram=False,
|
zram=False,
|
||||||
|
@ -97,6 +98,8 @@ def check_config(config_path, config_path_pretty, config_arch, pkgver,
|
||||||
components = {"postmarketOS": pmb.config.necessary_kconfig_options}
|
components = {"postmarketOS": pmb.config.necessary_kconfig_options}
|
||||||
if anbox:
|
if anbox:
|
||||||
components["anbox"] = pmb.config.necessary_kconfig_options_anbox
|
components["anbox"] = pmb.config.necessary_kconfig_options_anbox
|
||||||
|
if apparmor:
|
||||||
|
components["apparmor"] = pmb.config.necessary_kconfig_options_apparmor
|
||||||
if nftables:
|
if nftables:
|
||||||
components["nftables"] = pmb.config.necessary_kconfig_options_nftables
|
components["nftables"] = pmb.config.necessary_kconfig_options_nftables
|
||||||
if containers:
|
if containers:
|
||||||
|
@ -148,6 +151,7 @@ def check_config_options_set(config, config_path_pretty, config_arch, options,
|
||||||
|
|
||||||
def check(args, pkgname,
|
def check(args, pkgname,
|
||||||
force_anbox_check=False,
|
force_anbox_check=False,
|
||||||
|
force_apparmor_check=False,
|
||||||
force_nftables_check=False,
|
force_nftables_check=False,
|
||||||
force_containers_check=False,
|
force_containers_check=False,
|
||||||
force_zram_check=False,
|
force_zram_check=False,
|
||||||
|
@ -172,6 +176,8 @@ def check(args, pkgname,
|
||||||
pkgver = apkbuild["pkgver"]
|
pkgver = apkbuild["pkgver"]
|
||||||
check_anbox = force_anbox_check or (
|
check_anbox = force_anbox_check or (
|
||||||
"pmb:kconfigcheck-anbox" in apkbuild["options"])
|
"pmb:kconfigcheck-anbox" in apkbuild["options"])
|
||||||
|
check_apparmor = force_apparmor_check or (
|
||||||
|
"pmb:kconfigcheck-apparmor" in apkbuild["options"])
|
||||||
check_nftables = force_nftables_check or (
|
check_nftables = force_nftables_check or (
|
||||||
"pmb:kconfigcheck-nftables" in apkbuild["options"])
|
"pmb:kconfigcheck-nftables" in apkbuild["options"])
|
||||||
check_containers = force_containers_check or (
|
check_containers = force_containers_check or (
|
||||||
|
@ -186,6 +192,7 @@ def check(args, pkgname,
|
||||||
ret &= check_config(config_path, config_path_pretty, config_arch,
|
ret &= check_config(config_path, config_path_pretty, config_arch,
|
||||||
pkgver,
|
pkgver,
|
||||||
anbox=check_anbox,
|
anbox=check_anbox,
|
||||||
|
apparmor=check_apparmor,
|
||||||
nftables=check_nftables,
|
nftables=check_nftables,
|
||||||
containers=check_containers,
|
containers=check_containers,
|
||||||
zram=check_zram,
|
zram=check_zram,
|
||||||
|
|
Loading…
Reference in New Issue