[openwrt/openwrt] kernel: add options needed for SELinux

LEDE Commits lede-commits at lists.infradead.org
Sun Aug 30 20:16:31 EDT 2020 

dangole pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/168faef4430240e997c1e85fd32a532bcc9742bd

commit 168faef4430240e997c1e85fd32a532bcc9742bd
Author: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
AuthorDate: Sun Aug 23 21:45:52 2020 -0500

    kernel: add options needed for SELinux
    
    This adds a number of options to config/Config-kernel.in so that
    packages related to SELinux support can enable the appropriate Linux
    kernel support.
    
    Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
    [rebase; add ext4, F2FS, UBIFS, and JFFS2 support; add commit message]
    Signed-off-by: W. Michael Petullo <mike at flyn.org>
---
 config/Config-kernel.in         | 55 +++++++++++++++++++++++++++++++++++++++++
 target/linux/generic/config-5.4 | 25 +++++++++++++++++++
 2 files changed, 80 insertions(+)

diff --git a/config/Config-kernel.in b/config/Config-kernel.in
index d666176064..4eaaa4afae 100644
--- a/config/Config-kernel.in
+++ b/config/Config-kernel.in
@@ -1081,6 +1081,9 @@ config KERNEL_SQUASHFS_FRAGMENT_CACHE_SIZE
 	default 2 if (SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
 	default 3
 
+config KERNEL_SQUASHFS_XATTR
+	bool "Squashfs XATTR support"
+
 #
 # compile optimiziation setting
 #
@@ -1102,3 +1105,55 @@ config KERNEL_CC_OPTIMIZE_FOR_SIZE
 	  your compiler resulting in a smaller kernel.
 
 endchoice
+
+config KERNEL_AUDIT
+	bool "Auditing support"
+
+config KERNEL_SECURITY
+	bool "Enable different security models"
+
+config KERNEL_SECURITY_NETWORK
+	bool "Socket and Networking Security Hooks"
+	select KERNEL_SECURITY
+
+config KERNEL_SECURITY_SELINUX
+	bool "NSA SELinux Support"
+	select KERNEL_SECURITY_NETWORK
+	select KERNEL_AUDIT
+
+config KERNEL_SECURITY_SELINUX_BOOTPARAM
+	bool "NSA SELinux boot parameter"
+	depends on KERNEL_SECURITY_SELINUX
+
+config KERNEL_SECURITY_SELINUX_DISABLE
+	bool "NSA SELinux runtime disable"
+	depends on KERNEL_SECURITY_SELINUX
+
+config KERNEL_SECURITY_SELINUX_DEVELOP
+	bool "NSA SELinux Development Support"
+	depends on KERNEL_SECURITY_SELINUX
+
+choice
+	prompt "First legacy 'major LSM' to be initialized"
+	depends on KERNEL_SECURITY_SELINUX
+	default KERNEL_DEFAULT_SECURITY_SELINUX
+
+	config KERNEL_DEFAULT_SECURITY_SELINUX
+		bool "SELinux"
+
+	config KERNEL_DEFAULT_SECURITY_DAC
+		bool "Unix Discretionary Access Controls"
+
+endchoice
+
+config KERNEL_EXT4_FS_SECURITY
+	bool "Ext4 Security Labels"
+
+config KERNEL_F2FS_FS_SECURITY
+	bool "F2FS Security Labels"
+
+config KERNEL_UBIFS_FS_SECURITY
+	bool "UBIFS Security Labels"
+
+config KERNEL_JFFS2_FS_SECURITY
+	bool "JFFS2 Security Labels"
diff --git a/target/linux/generic/config-5.4 b/target/linux/generic/config-5.4
index c39bd56cfa..d543819aad 100644
--- a/target/linux/generic/config-5.4
+++ b/target/linux/generic/config-5.4
@@ -1210,6 +1210,7 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
 # CONFIG_DEFAULT_RENO is not set
 CONFIG_DEFAULT_SECURITY=""
 CONFIG_DEFAULT_SECURITY_DAC=y
+# CONFIG_DEFAULT_SECURITY_SELINUX is not set
 CONFIG_DEFAULT_TCP_CONG="cubic"
 CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
 # CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set
@@ -1526,6 +1527,7 @@ CONFIG_EXTRA_TARGETS=""
 # CONFIG_FAILOVER is not set
 # CONFIG_FAIR_GROUP_SCHED is not set
 # CONFIG_FANOTIFY is not set
+# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
 CONFIG_FAT_DEFAULT_CODEPAGE=437
 CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
 # CONFIG_FAT_DEFAULT_UTF8 is not set
@@ -1671,6 +1673,24 @@ CONFIG_FLAT_NODE_MEM_MAP=y
 # CONFIG_FORCEDETH is not set
 CONFIG_FORCE_MAX_ZONEORDER=11
 CONFIG_FORTIFY_SOURCE=y
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+# CONFIG_SECURITY_SELINUX_DISABLE is not set
+# CONFIG_SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_AVC_STATS is not set
+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
+# CONFIG_SECURITY_SMACK is not set
+# CONFIG_SECURITY_TOMOYO is not set
+# CONFIG_SECURITY_APPARMOR is not set
+# CONFIG_SECURITY_LOADPIN is not set
+# CONFIG_SECURITY_YAMA is not set
+# CONFIG_SECURITY_SAFESETID is not set
+# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+# CONFIG_INTEGRITY is not set
+# CONFIG_INTEGRITY_SIGNATURE is not set
+# CONFIG_INTEGRITY_AUDIT is not set
+# CONFIG_IMA is not set
+# CONFIG_EVM is not set
+# CONFIG_LSM is not set
 # CONFIG_FPGA is not set
 # CONFIG_FRAMEBUFFER_CONSOLE is not set
 # CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set
@@ -3366,6 +3386,7 @@ CONFIG_NETDEVICES=y
 # CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
 # CONFIG_NETFILTER_XT_TARGET_TEE is not set
 # CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+# CONFIG_NETFILTER_XT_TARGET_SECMARK is not set
 # CONFIG_NETFILTER_XT_TARGET_TRACE is not set
 # CONFIG_NETLINK_DIAG is not set
 # CONFIG_NETLINK_MMAP is not set
@@ -3373,6 +3394,7 @@ CONFIG_NETDEVICES=y
 # CONFIG_NETROM is not set
 CONFIG_NETWORK_FILESYSTEMS=y
 # CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+# CONFIG_NETLABEL is not set
 # CONFIG_NETWORK_SECMARK is not set
 # CONFIG_NETXEN_NIC is not set
 # CONFIG_NET_9P is not set
@@ -3647,6 +3669,7 @@ CONFIG_NFS_V3=y
 CONFIG_NF_CONNTRACK_PROCFS=y
 # CONFIG_NF_CONNTRACK_PROC_COMPAT is not set
 # CONFIG_NF_CONNTRACK_SANE is not set
+# CONFIG_NF_CONNTRACK_SECMARK is not set
 # CONFIG_NF_CONNTRACK_SIP is not set
 # CONFIG_NF_CONNTRACK_SNMP is not set
 # CONFIG_NF_CONNTRACK_TFTP is not set
@@ -4569,6 +4592,8 @@ CONFIG_SCSI_PROC_FS=y
 CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 # CONFIG_SECURITY is not set
 # CONFIG_SECURITYFS is not set
+# CONFIG_SECURITY_PATH is not set
+CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_SECURITY_DMESG_RESTRICT=y
 CONFIG_SELECT_MEMORY_MODEL=y
 # CONFIG_SENSIRION_SGP30 is not set

More information about the lede-commits mailing list