From 8f97efb7c6eb90e962221af58007d4026302f607 Mon Sep 17 00:00:00 2001 From: Oskari Rauta Date: Thu, 22 Apr 2021 02:52:12 +0300 Subject: [PATCH] kernel: add AppArmor support Adds flags to AppArmor support in kernel configuration. AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control. Signed-off-by: Oskari Rauta --- config/Config-build.in | 8 ++++++ config/Config-kernel.in | 59 ++++++++++++++++++++++++++++++++++++++++- 2 files changed, 66 insertions(+), 1 deletion(-) diff --git a/config/Config-build.in b/config/Config-build.in index f0e1aaa695..29ea7d40c9 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -386,4 +386,12 @@ menu "Global build settings" endchoice + config APPARMOR + bool "Enable AppArmor" + select KERNEL_SECURITY_APPARMOR + select PACKAGE_apparmor + help + This option enables the AppArmor security module and + selects AppArmor userspace tools. + endmenu diff --git a/config/Config-kernel.in b/config/Config-kernel.in index f71114b5da..32776c27d2 100644 --- a/config/Config-kernel.in +++ b/config/Config-kernel.in @@ -1151,10 +1151,17 @@ config KERNEL_AUDIT config KERNEL_SECURITY bool "Enable different security models" +config KERNEL_SECURITYFS + bool "Enable securityfs filesystem" + config KERNEL_SECURITY_NETWORK bool "Socket and Networking Security Hooks" select KERNEL_SECURITY +config KERNEL_SECURITY_PATH + bool "Pathname Access Control Security Hooks" + select KERNEL_SECURITY + config KERNEL_SECURITY_SELINUX bool "NSA SELinux Support" select KERNEL_SECURITY_NETWORK @@ -1164,6 +1171,9 @@ config KERNEL_SECURITY_SELINUX_BOOTPARAM bool "NSA SELinux boot parameter" depends on KERNEL_SECURITY_SELINUX default y + help + SELinux cannot be active at same time with AppArmor + Choose one of them at a time as default. config KERNEL_SECURITY_SELINUX_DISABLE bool "NSA SELinux runtime disable" @@ -1184,9 +1194,56 @@ config KERNEL_SECURITY_SELINUX_SID2STR_CACHE_SIZE depends on KERNEL_SECURITY_SELINUX default 256 +config KERNEL_SECURITY_APPARMOR + bool "AppArmor Support" + select KERNEL_AUDIT + select KERNEL_SECURITY + select KERNEL_SECURITY_FS + select KERNEL_SECURITY_PATH + select KERNEL_SECURITY_NETWORK + +config KERNEL_DEFAULT_SECURITY_APPARMOR + bool "Select AppArmor as default security module" + +config KERNEL_SECURITY_APPARMOR_BOOTPARAM_VALUE + int + default 0 + help + This option sets the default value for the kernel parameter + 'apparmor', which allows AppArmor to be enabled or disabled + at boot. If this option is set to 0 (zero), the AppArmor + kernel parameter will default to 0, disabling AppArmor at + boot. If this option is set to 1 (one), the AppArmor + kernel parameter will default to 1, enabling AppArmor at + boot. + + AppArmor and SELinux cannot be used simultaneously, choose + only one of them as default. + depends on KERNEL_SECURITY_APPARMOR + +config KERNEL_SECURITY_APPARMOR_HASH + bool "Enable introspection of sha1 hashes for loaded profiles" + depends on KERNEL_SECURITY_APPARMOR + +config KERNEL_SECURITY_APPARMOR_HASH_DEFAULT + bool "Enable policy hash introspection by default" + depends on KERNEL_SECURITY_APPARMOR_HASH + +config KERNEL_SECURITY_APPARMOR_DEBUG + bool "Build AppArmor with debug code" + depends on KERNEL_SECURITY_APPARMOR + +config KERNEL_SECURITY_APPARMOR_DEBUG_ASSERTS + bool "Build AppArmor with debugging asserts" + depends on KERNEL_SECURITY_APPARMOR_DEBUG + +config KERNEL_SECURITY_APPARMOR_DEBUG_MESSAGES + bool "AppArmor debug messages enabled by default" + depends on KERNEL_SECURITY_APPARMOR_DEBUG + config KERNEL_LSM string - default "lockdown,yama,loadpin,safesetid,integrity,selinux" + default "lockdown,yama,apparmor,loadpin,safesetid,integrity,selinux" depends on KERNEL_SECURITY_SELINUX config KERNEL_EXT4_FS_SECURITY -- 2.30.2