kernel: add AppArmor support

Adds flags to AppArmor support in kernel configuration.
AppArmor supplements the traditional Unix discretionary
access control (DAC) model by providing mandatory access
control.

Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>

diff --git a/config/Config-build.in b/config/Config-build.in
index f0e1aaa695d771be37589b666a38fc4ffeb8705f..29ea7d40c90923d8b74fbfd5b092003a80156c4d 100644 (file)
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -386,4 +386,12 @@ menu "Global build settings"
 
        endchoice
 
+       config APPARMOR
+               bool "Enable AppArmor"
+               select KERNEL_SECURITY_APPARMOR
+               select PACKAGE_apparmor
+               help
+                 This option enables the AppArmor security module and
+                 selects AppArmor userspace tools.
+
 endmenu

diff --git a/config/Config-kernel.in b/config/Config-kernel.in
index f71114b5daa8749aa78b2fcf13270e486170d1e2..32776c27d207af308bfe6d30a3f24c2aec4016a5 100644 (file)
--- a/config/Config-kernel.in
+++ b/config/Config-kernel.in
@@ -1151,10 +1151,17 @@ config KERNEL_AUDIT
 config KERNEL_SECURITY
        bool "Enable different security models"
 
+config KERNEL_SECURITYFS
+       bool "Enable securityfs filesystem"
+
 config KERNEL_SECURITY_NETWORK
        bool "Socket and Networking Security Hooks"
        select KERNEL_SECURITY
 
+config KERNEL_SECURITY_PATH
+       bool "Pathname Access Control Security Hooks"
+       select KERNEL_SECURITY
+
 config KERNEL_SECURITY_SELINUX
        bool "NSA SELinux Support"
        select KERNEL_SECURITY_NETWORK
@@ -1164,6 +1171,9 @@ config KERNEL_SECURITY_SELINUX_BOOTPARAM
        bool "NSA SELinux boot parameter"
        depends on KERNEL_SECURITY_SELINUX
        default y
+       help
+         SELinux cannot be active at same time with AppArmor
+         Choose one of them at a time as default.
 
 config KERNEL_SECURITY_SELINUX_DISABLE
        bool "NSA SELinux runtime disable"
@@ -1184,9 +1194,56 @@ config KERNEL_SECURITY_SELINUX_SID2STR_CACHE_SIZE
        depends on KERNEL_SECURITY_SELINUX
        default 256
 
+config KERNEL_SECURITY_APPARMOR
+       bool "AppArmor Support"
+       select KERNEL_AUDIT
+       select KERNEL_SECURITY
+       select KERNEL_SECURITY_FS
+       select KERNEL_SECURITY_PATH
+       select KERNEL_SECURITY_NETWORK
+
+config KERNEL_DEFAULT_SECURITY_APPARMOR
+       bool "Select AppArmor as default security module"
+
+config KERNEL_SECURITY_APPARMOR_BOOTPARAM_VALUE
+       int
+       default 0
+       help
+         This option sets the default value for the kernel parameter
+         'apparmor', which allows AppArmor to be enabled or disabled
+         at boot. If this option is set to 0 (zero), the AppArmor
+         kernel parameter will default to 0, disabling AppArmor at
+         boot. If this option is set to 1 (one), the AppArmor
+         kernel parameter will default to 1, enabling AppArmor at
+         boot.
+
+         AppArmor and SELinux cannot be used simultaneously, choose
+         only one of them as default.
+       depends on KERNEL_SECURITY_APPARMOR
+
+config KERNEL_SECURITY_APPARMOR_HASH
+       bool "Enable introspection of sha1 hashes for loaded profiles"
+       depends on KERNEL_SECURITY_APPARMOR
+
+config KERNEL_SECURITY_APPARMOR_HASH_DEFAULT
+       bool "Enable policy hash introspection by default"
+       depends on KERNEL_SECURITY_APPARMOR_HASH
+
+config KERNEL_SECURITY_APPARMOR_DEBUG
+       bool "Build AppArmor with debug code"
+       depends on KERNEL_SECURITY_APPARMOR
+
+config KERNEL_SECURITY_APPARMOR_DEBUG_ASSERTS
+       bool "Build AppArmor with debugging asserts"
+       depends on KERNEL_SECURITY_APPARMOR_DEBUG
+
+config KERNEL_SECURITY_APPARMOR_DEBUG_MESSAGES
+       bool "AppArmor debug messages enabled by default"
+       depends on KERNEL_SECURITY_APPARMOR_DEBUG
+
 config KERNEL_LSM
        string
-       default "lockdown,yama,loadpin,safesetid,integrity,selinux"
+       default "lockdown,yama,apparmor,loadpin,safesetid,integrity,selinux"
        depends on KERNEL_SECURITY_SELINUX
 
 config KERNEL_EXT4_FS_SECURITY