From 168faef4430240e997c1e85fd32a532bcc9742bd Mon Sep 17 00:00:00 2001 From: Thomas Petazzoni Date: Sun, 23 Aug 2020 21:45:52 -0500 Subject: [PATCH] kernel: add options needed for SELinux This adds a number of options to config/Config-kernel.in so that packages related to SELinux support can enable the appropriate Linux kernel support. Signed-off-by: Thomas Petazzoni [rebase; add ext4, F2FS, UBIFS, and JFFS2 support; add commit message] Signed-off-by: W. Michael Petullo --- config/Config-kernel.in | 55 +++++++++++++++++++++++++++++++++ target/linux/generic/config-5.4 | 25 +++++++++++++++ 2 files changed, 80 insertions(+) diff --git a/config/Config-kernel.in b/config/Config-kernel.in index d666176064..4eaaa4afae 100644 --- a/config/Config-kernel.in +++ b/config/Config-kernel.in @@ -1081,6 +1081,9 @@ config KERNEL_SQUASHFS_FRAGMENT_CACHE_SIZE default 2 if (SMALL_FLASH && !LOW_MEMORY_FOOTPRINT) default 3 +config KERNEL_SQUASHFS_XATTR + bool "Squashfs XATTR support" + # # compile optimiziation setting # @@ -1102,3 +1105,55 @@ config KERNEL_CC_OPTIMIZE_FOR_SIZE your compiler resulting in a smaller kernel. endchoice + +config KERNEL_AUDIT + bool "Auditing support" + +config KERNEL_SECURITY + bool "Enable different security models" + +config KERNEL_SECURITY_NETWORK + bool "Socket and Networking Security Hooks" + select KERNEL_SECURITY + +config KERNEL_SECURITY_SELINUX + bool "NSA SELinux Support" + select KERNEL_SECURITY_NETWORK + select KERNEL_AUDIT + +config KERNEL_SECURITY_SELINUX_BOOTPARAM + bool "NSA SELinux boot parameter" + depends on KERNEL_SECURITY_SELINUX + +config KERNEL_SECURITY_SELINUX_DISABLE + bool "NSA SELinux runtime disable" + depends on KERNEL_SECURITY_SELINUX + +config KERNEL_SECURITY_SELINUX_DEVELOP + bool "NSA SELinux Development Support" + depends on KERNEL_SECURITY_SELINUX + +choice + prompt "First legacy 'major LSM' to be initialized" + depends on KERNEL_SECURITY_SELINUX + default KERNEL_DEFAULT_SECURITY_SELINUX + + config KERNEL_DEFAULT_SECURITY_SELINUX + bool "SELinux" + + config KERNEL_DEFAULT_SECURITY_DAC + bool "Unix Discretionary Access Controls" + +endchoice + +config KERNEL_EXT4_FS_SECURITY + bool "Ext4 Security Labels" + +config KERNEL_F2FS_FS_SECURITY + bool "F2FS Security Labels" + +config KERNEL_UBIFS_FS_SECURITY + bool "UBIFS Security Labels" + +config KERNEL_JFFS2_FS_SECURITY + bool "JFFS2 Security Labels" diff --git a/target/linux/generic/config-5.4 b/target/linux/generic/config-5.4 index c39bd56cfa..d543819aad 100644 --- a/target/linux/generic/config-5.4 +++ b/target/linux/generic/config-5.4 @@ -1210,6 +1210,7 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 # CONFIG_DEFAULT_RENO is not set CONFIG_DEFAULT_SECURITY="" CONFIG_DEFAULT_SECURITY_DAC=y +# CONFIG_DEFAULT_SECURITY_SELINUX is not set CONFIG_DEFAULT_TCP_CONG="cubic" CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" # CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set @@ -1526,6 +1527,7 @@ CONFIG_EXTRA_TARGETS="" # CONFIG_FAILOVER is not set # CONFIG_FAIR_GROUP_SCHED is not set # CONFIG_FANOTIFY is not set +# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set CONFIG_FAT_DEFAULT_CODEPAGE=437 CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1" # CONFIG_FAT_DEFAULT_UTF8 is not set @@ -1671,6 +1673,24 @@ CONFIG_FLAT_NODE_MEM_MAP=y # CONFIG_FORCEDETH is not set CONFIG_FORCE_MAX_ZONEORDER=11 CONFIG_FORTIFY_SOURCE=y +# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set +# CONFIG_SECURITY_SELINUX_DISABLE is not set +# CONFIG_SECURITY_SELINUX_DEVELOP is not set +# CONFIG_SECURITY_SELINUX_AVC_STATS is not set +CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 +# CONFIG_SECURITY_SMACK is not set +# CONFIG_SECURITY_TOMOYO is not set +# CONFIG_SECURITY_APPARMOR is not set +# CONFIG_SECURITY_LOADPIN is not set +# CONFIG_SECURITY_YAMA is not set +# CONFIG_SECURITY_SAFESETID is not set +# CONFIG_SECURITY_LOCKDOWN_LSM is not set +# CONFIG_INTEGRITY is not set +# CONFIG_INTEGRITY_SIGNATURE is not set +# CONFIG_INTEGRITY_AUDIT is not set +# CONFIG_IMA is not set +# CONFIG_EVM is not set +# CONFIG_LSM is not set # CONFIG_FPGA is not set # CONFIG_FRAMEBUFFER_CONSOLE is not set # CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set @@ -3366,6 +3386,7 @@ CONFIG_NETDEVICES=y # CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set # CONFIG_NETFILTER_XT_TARGET_TEE is not set # CONFIG_NETFILTER_XT_TARGET_TPROXY is not set +# CONFIG_NETFILTER_XT_TARGET_SECMARK is not set # CONFIG_NETFILTER_XT_TARGET_TRACE is not set # CONFIG_NETLINK_DIAG is not set # CONFIG_NETLINK_MMAP is not set @@ -3373,6 +3394,7 @@ CONFIG_NETDEVICES=y # CONFIG_NETROM is not set CONFIG_NETWORK_FILESYSTEMS=y # CONFIG_NETWORK_PHY_TIMESTAMPING is not set +# CONFIG_NETLABEL is not set # CONFIG_NETWORK_SECMARK is not set # CONFIG_NETXEN_NIC is not set # CONFIG_NET_9P is not set @@ -3647,6 +3669,7 @@ CONFIG_NFS_V3=y CONFIG_NF_CONNTRACK_PROCFS=y # CONFIG_NF_CONNTRACK_PROC_COMPAT is not set # CONFIG_NF_CONNTRACK_SANE is not set +# CONFIG_NF_CONNTRACK_SECMARK is not set # CONFIG_NF_CONNTRACK_SIP is not set # CONFIG_NF_CONNTRACK_SNMP is not set # CONFIG_NF_CONNTRACK_TFTP is not set @@ -4569,6 +4592,8 @@ CONFIG_SCSI_PROC_FS=y CONFIG_SECTION_MISMATCH_WARN_ONLY=y # CONFIG_SECURITY is not set # CONFIG_SECURITYFS is not set +# CONFIG_SECURITY_PATH is not set +CONFIG_LSM_MMAP_MIN_ADDR=65536 CONFIG_SECURITY_DMESG_RESTRICT=y CONFIG_SELECT_MEMORY_MODEL=y # CONFIG_SENSIRION_SGP30 is not set -- 2.30.2