[openwrt/openwrt] kernel: add options needed for SELinux
LEDE Commits
lede-commits at lists.infradead.org
Sun Aug 30 20:16:31 EDT 2020
dangole pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/168faef4430240e997c1e85fd32a532bcc9742bd
commit 168faef4430240e997c1e85fd32a532bcc9742bd
Author: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
AuthorDate: Sun Aug 23 21:45:52 2020 -0500
kernel: add options needed for SELinux
This adds a number of options to config/Config-kernel.in so that
packages related to SELinux support can enable the appropriate Linux
kernel support.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
[rebase; add ext4, F2FS, UBIFS, and JFFS2 support; add commit message]
Signed-off-by: W. Michael Petullo <mike at flyn.org>
---
config/Config-kernel.in | 55 +++++++++++++++++++++++++++++++++++++++++
target/linux/generic/config-5.4 | 25 +++++++++++++++++++
2 files changed, 80 insertions(+)
diff --git a/config/Config-kernel.in b/config/Config-kernel.in
index d666176064..4eaaa4afae 100644
--- a/config/Config-kernel.in
+++ b/config/Config-kernel.in
@@ -1081,6 +1081,9 @@ config KERNEL_SQUASHFS_FRAGMENT_CACHE_SIZE
default 2 if (SMALL_FLASH && !LOW_MEMORY_FOOTPRINT)
default 3
+config KERNEL_SQUASHFS_XATTR
+ bool "Squashfs XATTR support"
+
#
# compile optimiziation setting
#
@@ -1102,3 +1105,55 @@ config KERNEL_CC_OPTIMIZE_FOR_SIZE
your compiler resulting in a smaller kernel.
endchoice
+
+config KERNEL_AUDIT
+ bool "Auditing support"
+
+config KERNEL_SECURITY
+ bool "Enable different security models"
+
+config KERNEL_SECURITY_NETWORK
+ bool "Socket and Networking Security Hooks"
+ select KERNEL_SECURITY
+
+config KERNEL_SECURITY_SELINUX
+ bool "NSA SELinux Support"
+ select KERNEL_SECURITY_NETWORK
+ select KERNEL_AUDIT
+
+config KERNEL_SECURITY_SELINUX_BOOTPARAM
+ bool "NSA SELinux boot parameter"
+ depends on KERNEL_SECURITY_SELINUX
+
+config KERNEL_SECURITY_SELINUX_DISABLE
+ bool "NSA SELinux runtime disable"
+ depends on KERNEL_SECURITY_SELINUX
+
+config KERNEL_SECURITY_SELINUX_DEVELOP
+ bool "NSA SELinux Development Support"
+ depends on KERNEL_SECURITY_SELINUX
+
+choice
+ prompt "First legacy 'major LSM' to be initialized"
+ depends on KERNEL_SECURITY_SELINUX
+ default KERNEL_DEFAULT_SECURITY_SELINUX
+
+ config KERNEL_DEFAULT_SECURITY_SELINUX
+ bool "SELinux"
+
+ config KERNEL_DEFAULT_SECURITY_DAC
+ bool "Unix Discretionary Access Controls"
+
+endchoice
+
+config KERNEL_EXT4_FS_SECURITY
+ bool "Ext4 Security Labels"
+
+config KERNEL_F2FS_FS_SECURITY
+ bool "F2FS Security Labels"
+
+config KERNEL_UBIFS_FS_SECURITY
+ bool "UBIFS Security Labels"
+
+config KERNEL_JFFS2_FS_SECURITY
+ bool "JFFS2 Security Labels"
diff --git a/target/linux/generic/config-5.4 b/target/linux/generic/config-5.4
index c39bd56cfa..d543819aad 100644
--- a/target/linux/generic/config-5.4
+++ b/target/linux/generic/config-5.4
@@ -1210,6 +1210,7 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
# CONFIG_DEFAULT_RENO is not set
CONFIG_DEFAULT_SECURITY=""
CONFIG_DEFAULT_SECURITY_DAC=y
+# CONFIG_DEFAULT_SECURITY_SELINUX is not set
CONFIG_DEFAULT_TCP_CONG="cubic"
CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set
@@ -1526,6 +1527,7 @@ CONFIG_EXTRA_TARGETS=""
# CONFIG_FAILOVER is not set
# CONFIG_FAIR_GROUP_SCHED is not set
# CONFIG_FANOTIFY is not set
+# CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
CONFIG_FAT_DEFAULT_CODEPAGE=437
CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
# CONFIG_FAT_DEFAULT_UTF8 is not set
@@ -1671,6 +1673,24 @@ CONFIG_FLAT_NODE_MEM_MAP=y
# CONFIG_FORCEDETH is not set
CONFIG_FORCE_MAX_ZONEORDER=11
CONFIG_FORTIFY_SOURCE=y
+# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
+# CONFIG_SECURITY_SELINUX_DISABLE is not set
+# CONFIG_SECURITY_SELINUX_DEVELOP is not set
+# CONFIG_SECURITY_SELINUX_AVC_STATS is not set
+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
+# CONFIG_SECURITY_SMACK is not set
+# CONFIG_SECURITY_TOMOYO is not set
+# CONFIG_SECURITY_APPARMOR is not set
+# CONFIG_SECURITY_LOADPIN is not set
+# CONFIG_SECURITY_YAMA is not set
+# CONFIG_SECURITY_SAFESETID is not set
+# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+# CONFIG_INTEGRITY is not set
+# CONFIG_INTEGRITY_SIGNATURE is not set
+# CONFIG_INTEGRITY_AUDIT is not set
+# CONFIG_IMA is not set
+# CONFIG_EVM is not set
+# CONFIG_LSM is not set
# CONFIG_FPGA is not set
# CONFIG_FRAMEBUFFER_CONSOLE is not set
# CONFIG_FRAMEBUFFER_CONSOLE_DEFERRED_TAKEOVER is not set
@@ -3366,6 +3386,7 @@ CONFIG_NETDEVICES=y
# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
# CONFIG_NETFILTER_XT_TARGET_TEE is not set
# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+# CONFIG_NETFILTER_XT_TARGET_SECMARK is not set
# CONFIG_NETFILTER_XT_TARGET_TRACE is not set
# CONFIG_NETLINK_DIAG is not set
# CONFIG_NETLINK_MMAP is not set
@@ -3373,6 +3394,7 @@ CONFIG_NETDEVICES=y
# CONFIG_NETROM is not set
CONFIG_NETWORK_FILESYSTEMS=y
# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+# CONFIG_NETLABEL is not set
# CONFIG_NETWORK_SECMARK is not set
# CONFIG_NETXEN_NIC is not set
# CONFIG_NET_9P is not set
@@ -3647,6 +3669,7 @@ CONFIG_NFS_V3=y
CONFIG_NF_CONNTRACK_PROCFS=y
# CONFIG_NF_CONNTRACK_PROC_COMPAT is not set
# CONFIG_NF_CONNTRACK_SANE is not set
+# CONFIG_NF_CONNTRACK_SECMARK is not set
# CONFIG_NF_CONNTRACK_SIP is not set
# CONFIG_NF_CONNTRACK_SNMP is not set
# CONFIG_NF_CONNTRACK_TFTP is not set
@@ -4569,6 +4592,8 @@ CONFIG_SCSI_PROC_FS=y
CONFIG_SECTION_MISMATCH_WARN_ONLY=y
# CONFIG_SECURITY is not set
# CONFIG_SECURITYFS is not set
+# CONFIG_SECURITY_PATH is not set
+CONFIG_LSM_MMAP_MIN_ADDR=65536
CONFIG_SECURITY_DMESG_RESTRICT=y
CONFIG_SELECT_MEMORY_MODEL=y
# CONFIG_SENSIRION_SGP30 is not set
More information about the lede-commits
mailing list