[yocto] [meta-security][PATCH 1/4] apparmor: update to 2.13.2
Drop patch included in update:
tool-paths.patch
Signed-off-by: Armin Kuster
---
.../{apparmor_2.12.bb => apparmor_2.13.2.bb} | 12 --
recipes-mac/AppArmor/files/tool-paths.patch | 37 ---
2 files changed, 9 insertions(+), 40 deletions(-)
rename recipes-mac/AppArmor/{apparmor_2.12.bb => apparmor_2.13.2.bb} (91%)
delete mode 100644 recipes-mac/AppArmor/files/tool-paths.patch
diff --git a/recipes-mac/AppArmor/apparmor_2.12.bb
b/recipes-mac/AppArmor/apparmor_2.13.2.bb
similarity index 91%
rename from recipes-mac/AppArmor/apparmor_2.12.bb
rename to recipes-mac/AppArmor/apparmor_2.13.2.bb
index efa93e6..62ed611 100644
--- a/recipes-mac/AppArmor/apparmor_2.12.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.2.bb
@@ -17,7 +17,6 @@ SRC_URI = " \
http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \
file://disable_perl_h_check.patch \
file://crosscompile_perl_bindings.patch \
- file://tool-paths.patch \
file://apparmor.rc \
file://functions \
file://apparmor \
@@ -25,8 +24,8 @@ SRC_URI = " \
file://run-ptest \
"
-SRC_URI[md5sum] = "49054f58042f8e51ea92cc866575a833"
-SRC_URI[sha256sum] =
"8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056"
+SRC_URI[md5sum] = "2439b35266b5a3a461b0a2dba6e863c3"
+SRC_URI[sha256sum] =
"844def9926dfda5c7858428d06e44afc80573f9706458b6e7282edbb40b11a30"
PARALLEL_MAKE = ""
@@ -60,6 +59,13 @@ do_configure() {
}
do_compile () {
+# Fixes:
+# | sed -ie 's///g' Makefile.perl
+# | sed: -e expression #1, char 0: no previous regular expression
+#| Makefile:478: recipe for target 'Makefile.perl' failed
+sed -i "s@sed -ie 's///g' Makefile.perl@@"
${S}/libraries/libapparmor/swig/perl/Makefile
+
+
oe_runmake -C ${B}/libraries/libapparmor
oe_runmake -C ${B}/binutils
oe_runmake -C ${B}/utils
diff --git a/recipes-mac/AppArmor/files/tool-paths.patch
b/recipes-mac/AppArmor/files/tool-paths.patch
deleted file mode 100644
index aaf08da..000
--- a/recipes-mac/AppArmor/files/tool-paths.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Upstream-Status: Backport
-Signed-off-by: Ross Burton
-
-From e7edd937adcbf1b3c8d38a31de5bacb2029b1965 Mon Sep 17 00:00:00 2001
-From: John Johansen
-Date: Thu, 4 Oct 2018 23:15:28 -0700
-Subject: [PATCH] parser: fix Makefile hardcoded paths to flex and bison
-
-The hardcoded paths for flex and python can break builds on systems
-where those tools are stored in an alternate location. Use which
-to lookup where flex and bison are available.
-
-This fixes issue #4
-
-Signed-off-by: John Johansen
- parser/Makefile | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/parser/Makefile b/parser/Makefile
-index 4d370c36..015c218d 100644
a/parser/Makefile
-+++ b/parser/Makefile
-@@ -27,9 +27,9 @@ INSTALL_CONFDIR=${DESTDIR}${CONFDIR}
- LOCALEDIR=/usr/share/locale
- MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 subdomain.conf.5
-
--YACC := /usr/bin/bison
-+YACC := bison
- YFLAGS:= -d
--LEX := /usr/bin/flex
-+LEX := flex
- LEXFLAGS = -B -v
- WARNINGS = -Wall
- EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers
-Wformat-security -Wunused-parameter
---
-2.11.0
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/4] apparmor: add basic runtime test
Signed-off-by: Armin Kuster
---
lib/oeqa/runtime/cases/apparmor.py | 27 +++
1 file changed, 27 insertions(+)
create mode 100644 lib/oeqa/runtime/cases/apparmor.py
diff --git a/lib/oeqa/runtime/cases/apparmor.py
b/lib/oeqa/runtime/cases/apparmor.py
new file mode 100644
index 000..e2cb316
--- /dev/null
+++ b/lib/oeqa/runtime/cases/apparmor.py
@@ -0,0 +1,27 @@
+# Copyright (C) 2019 Armin Kuster
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+
+class ApparmorTest(OERuntimeTestCase):
+
+@OEHasPackage(['apparmor'])
+@OETestDepends(['ssh.SSHTest.test_ssh'])
+def test_apparmor_help(self):
+status, output = self.target.run('aa-status --help')
+msg = ('apparmor command does not work as expected. '
+ 'Status and output:%s and %s' % (status, output))
+self.assertEqual(status, 0, msg = msg)
+
+@OETestDepends(['apparmor.ApparmorTest.test_apparmor_help'])
+def test_apparmor_aa_status(self):
+status, output = self.target.run('aa-status')
+match = re.search('apparmor module is loaded.', output)
+if not match:
+msg = ('aa-status failed. '
+ 'Status and output:%s and %s' % (status, output))
+self.assertEqual(status, 0, msg = msg)
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 3/4] linux-yocto: make bbappend version neutral
update apparmor configs
Signed-off-by: Armin Kuster
---
recipes-kernel/linux/linux-yocto/apparmor.cfg| 12 +++-
.../linux/linux-yocto/apparmor_on_boot.cfg | 1 +
...nux-yocto_4.%.bbappend => linux-yocto_%.bbappend} | 1 +
3 files changed, 9 insertions(+), 5 deletions(-)
create mode 100644 recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
rename recipes-kernel/linux/{linux-yocto_4.%.bbappend =>
linux-yocto_%.bbappend} (78%)
diff --git a/recipes-kernel/linux/linux-yocto/apparmor.cfg
b/recipes-kernel/linux/linux-yocto/apparmor.cfg
index 1dc4168..b5f9bb2 100644
--- a/recipes-kernel/linux/linux-yocto/apparmor.cfg
+++ b/recipes-kernel/linux/linux-yocto/apparmor.cfg
@@ -1,13 +1,15 @@
CONFIG_AUDIT=y
-CONFIG_AUDITSYSCALL=y
-CONFIG_AUDIT_WATCH=y
-CONFIG_AUDIT_TREE=y
# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
+CONFIG_SECURITY_NETWORK=y
+# CONFIG_SECURITY_NETWORK_XFRM is not set
CONFIG_SECURITY_PATH=y
# CONFIG_SECURITY_SELINUX is not set
CONFIG_SECURITY_APPARMOR=y
-CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
+# CONFIG_SECURITY_APPARMOR_DEBUG is not set
CONFIG_INTEGRITY_AUDIT=y
-# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
+CONFIG_DEFAULT_SECURITY_APPARMOR=y
+# CONFIG_DEFAULT_SECURITY_DAC is not set
+CONFIG_DEFAULT_SECURITY="apparmor"
+CONFIG_AUDIT_GENERIC=y
diff --git a/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
b/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
new file mode 100644
index 000..fc35740
--- /dev/null
+++ b/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
@@ -0,0 +1 @@
+CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
diff --git a/recipes-kernel/linux/linux-yocto_4.%.bbappend
b/recipes-kernel/linux/linux-yocto_%.bbappend
similarity index 78%
rename from recipes-kernel/linux/linux-yocto_4.%.bbappend
rename to recipes-kernel/linux/linux-yocto_%.bbappend
index 067be8f..321392c 100644
--- a/recipes-kernel/linux/linux-yocto_4.%.bbappend
+++ b/recipes-kernel/linux/linux-yocto_%.bbappend
@@ -2,6 +2,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
SRC_URI += "\
${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', '
file://apparmor.cfg', '', d)} \
+${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', '
file://apparmor_on_boot.cfg', '', d)} \
"
SRC_URI += "\
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 4/4] linux-stable: add support for stable kernel bbappends
Signed-off-by: Armin Kuster
---
recipes-kernel/linux/linux-stable/apparmor.cfg| 15 +++
.../linux/linux-stable/apparmor_on_boot.cfg | 1 +
.../linux/linux-stable/smack-default-lsm.cfg | 2 ++
recipes-kernel/linux/linux-stable/smack.cfg | 8
recipes-kernel/linux/linux-stable_%.bbappend | 11 +++
5 files changed, 37 insertions(+)
create mode 100644 recipes-kernel/linux/linux-stable/apparmor.cfg
create mode 100644 recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg
create mode 100644 recipes-kernel/linux/linux-stable/smack-default-lsm.cfg
create mode 100644 recipes-kernel/linux/linux-stable/smack.cfg
create mode 100644 recipes-kernel/linux/linux-stable_%.bbappend
diff --git a/recipes-kernel/linux/linux-stable/apparmor.cfg
b/recipes-kernel/linux/linux-stable/apparmor.cfg
new file mode 100644
index 000..b5f9bb2
--- /dev/null
+++ b/recipes-kernel/linux/linux-stable/apparmor.cfg
@@ -0,0 +1,15 @@
+CONFIG_AUDIT=y
+# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
+CONFIG_SECURITY_NETWORK=y
+# CONFIG_SECURITY_NETWORK_XFRM is not set
+CONFIG_SECURITY_PATH=y
+# CONFIG_SECURITY_SELINUX is not set
+CONFIG_SECURITY_APPARMOR=y
+CONFIG_SECURITY_APPARMOR_HASH=y
+CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
+# CONFIG_SECURITY_APPARMOR_DEBUG is not set
+CONFIG_INTEGRITY_AUDIT=y
+CONFIG_DEFAULT_SECURITY_APPARMOR=y
+# CONFIG_DEFAULT_SECURITY_DAC is not set
+CONFIG_DEFAULT_SECURITY="apparmor"
+CONFIG_AUDIT_GENERIC=y
diff --git a/recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg
b/recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg
new file mode 100644
index 000..fc35740
--- /dev/null
+++ b/recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg
@@ -0,0 +1 @@
+CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
diff --git a/recipes-kernel/linux/linux-stable/smack-default-lsm.cfg
b/recipes-kernel/linux/linux-stable/smack-default-lsm.cfg
new file mode 100644
index 000..b5c4845
--- /dev/null
+++ b/recipes-kernel/linux/linux-stable/smack-default-lsm.cfg
@@ -0,0 +1,2 @@
+CONFIG_DEFAULT_SECURITY="smack"
+CONFIG_DEFAULT_SECURITY_SMACK=y
diff --git a/recipes-kernel/linux/linux-stable/smack.cfg
b/recipes-kernel/linux/linux-stable/smack.cfg
new file mode 100644
index 000..62f465a
--- /dev/null
+++ b/recipes-kernel/linux/linux-stable/smack.cfg
@@ -0,0 +1,8 @@
+CONFIG_IP_NF_SECURITY=m
+CONFIG_IP6_NF_SECURITY=m
+CONFIG_EXT2_FS_SECURITY=y
+CONFIG_EXT3_FS_SECURITY=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_SECURITY=y
+CONFIG_SECURITY_SMACK=y
+CONFIG_TMPFS_XATTR=y
diff --git a/recipes-kernel/linux/linux-stable_%.bbappend
b/recipes-kernel/linux/linux-stable_%.bbappend
new file mode 100644
index 000..321392c
--- /dev/null
+++ b/recipes-kernel/linux/linux-stable_%.bbappend
@@ -0,0 +1,11 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "\
+${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', '
file://apparmor.cfg', '', d)} \
+${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', '
file://apparmor_on_boot.cfg', '', d)} \
+"
+
+SRC_URI += "\
+${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg',
'', d)} \
+${@bb.utils.contains('DISTRO_FEATURES', 'smack', '
file://smack-default-lsm.cfg', '', d)} \
+"
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-security][PATCH 4/4] linux-stable: add support for stable kernel bbappends
not goint to work.
dropping
On 3/31/19 10:29 AM, Armin Kuster wrote:
> Signed-off-by: Armin Kuster
> ---
> recipes-kernel/linux/linux-stable/apparmor.cfg| 15 +++
> .../linux/linux-stable/apparmor_on_boot.cfg | 1 +
> .../linux/linux-stable/smack-default-lsm.cfg | 2 ++
> recipes-kernel/linux/linux-stable/smack.cfg | 8
> recipes-kernel/linux/linux-stable_%.bbappend | 11 +++
> 5 files changed, 37 insertions(+)
> create mode 100644 recipes-kernel/linux/linux-stable/apparmor.cfg
> create mode 100644 recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg
> create mode 100644 recipes-kernel/linux/linux-stable/smack-default-lsm.cfg
> create mode 100644 recipes-kernel/linux/linux-stable/smack.cfg
> create mode 100644 recipes-kernel/linux/linux-stable_%.bbappend
>
> diff --git a/recipes-kernel/linux/linux-stable/apparmor.cfg
> b/recipes-kernel/linux/linux-stable/apparmor.cfg
> new file mode 100644
> index 000..b5f9bb2
> --- /dev/null
> +++ b/recipes-kernel/linux/linux-stable/apparmor.cfg
> @@ -0,0 +1,15 @@
> +CONFIG_AUDIT=y
> +# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
> +CONFIG_SECURITY_NETWORK=y
> +# CONFIG_SECURITY_NETWORK_XFRM is not set
> +CONFIG_SECURITY_PATH=y
> +# CONFIG_SECURITY_SELINUX is not set
> +CONFIG_SECURITY_APPARMOR=y
> +CONFIG_SECURITY_APPARMOR_HASH=y
> +CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
> +# CONFIG_SECURITY_APPARMOR_DEBUG is not set
> +CONFIG_INTEGRITY_AUDIT=y
> +CONFIG_DEFAULT_SECURITY_APPARMOR=y
> +# CONFIG_DEFAULT_SECURITY_DAC is not set
> +CONFIG_DEFAULT_SECURITY="apparmor"
> +CONFIG_AUDIT_GENERIC=y
> diff --git a/recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg
> b/recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg
> new file mode 100644
> index 000..fc35740
> --- /dev/null
> +++ b/recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg
> @@ -0,0 +1 @@
> +CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
> diff --git a/recipes-kernel/linux/linux-stable/smack-default-lsm.cfg
> b/recipes-kernel/linux/linux-stable/smack-default-lsm.cfg
> new file mode 100644
> index 000..b5c4845
> --- /dev/null
> +++ b/recipes-kernel/linux/linux-stable/smack-default-lsm.cfg
> @@ -0,0 +1,2 @@
> +CONFIG_DEFAULT_SECURITY="smack"
> +CONFIG_DEFAULT_SECURITY_SMACK=y
> diff --git a/recipes-kernel/linux/linux-stable/smack.cfg
> b/recipes-kernel/linux/linux-stable/smack.cfg
> new file mode 100644
> index 000..62f465a
> --- /dev/null
> +++ b/recipes-kernel/linux/linux-stable/smack.cfg
> @@ -0,0 +1,8 @@
> +CONFIG_IP_NF_SECURITY=m
> +CONFIG_IP6_NF_SECURITY=m
> +CONFIG_EXT2_FS_SECURITY=y
> +CONFIG_EXT3_FS_SECURITY=y
> +CONFIG_EXT4_FS_SECURITY=y
> +CONFIG_SECURITY=y
> +CONFIG_SECURITY_SMACK=y
> +CONFIG_TMPFS_XATTR=y
> diff --git a/recipes-kernel/linux/linux-stable_%.bbappend
> b/recipes-kernel/linux/linux-stable_%.bbappend
> new file mode 100644
> index 000..321392c
> --- /dev/null
> +++ b/recipes-kernel/linux/linux-stable_%.bbappend
> @@ -0,0 +1,11 @@
> +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
> +
> +SRC_URI += "\
> +${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', '
> file://apparmor.cfg', '', d)} \
> +${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', '
> file://apparmor_on_boot.cfg', '', d)} \
> +"
> +
> +SRC_URI += "\
> +${@bb.utils.contains('DISTRO_FEATURES', 'smack', '
> file://smack.cfg', '', d)} \
> +${@bb.utils.contains('DISTRO_FEATURES', 'smack', '
> file://smack-default-lsm.cfg', '', d)} \
> +"
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-security][PATCH 3/4] linux-yocto: make bbappend version neutral
On Sun, Mar 31, 2019 at 10:28:59AM -0700, Armin Kuster wrote:
> update apparmor configs
>
> Signed-off-by: Armin Kuster
> ---
> recipes-kernel/linux/linux-yocto/apparmor.cfg| 12 +++-
> .../linux/linux-yocto/apparmor_on_boot.cfg | 1 +
> ...nux-yocto_4.%.bbappend => linux-yocto_%.bbappend} | 1 +
> 3 files changed, 9 insertions(+), 5 deletions(-)
> create mode 100644 recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
> rename recipes-kernel/linux/{linux-yocto_4.%.bbappend =>
> linux-yocto_%.bbappend} (78%)
>
> diff --git a/recipes-kernel/linux/linux-yocto/apparmor.cfg
> b/recipes-kernel/linux/linux-yocto/apparmor.cfg
> index 1dc4168..b5f9bb2 100644
> --- a/recipes-kernel/linux/linux-yocto/apparmor.cfg
> +++ b/recipes-kernel/linux/linux-yocto/apparmor.cfg
> @@ -1,13 +1,15 @@
> CONFIG_AUDIT=y
> -CONFIG_AUDITSYSCALL=y
> -CONFIG_AUDIT_WATCH=y
> -CONFIG_AUDIT_TREE=y
> # CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
> +CONFIG_SECURITY_NETWORK=y
> +# CONFIG_SECURITY_NETWORK_XFRM is not set
> CONFIG_SECURITY_PATH=y
> # CONFIG_SECURITY_SELINUX is not set
> CONFIG_SECURITY_APPARMOR=y
> -CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
> CONFIG_SECURITY_APPARMOR_HASH=y
> CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
> +# CONFIG_SECURITY_APPARMOR_DEBUG is not set
> CONFIG_INTEGRITY_AUDIT=y
> -# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
> +CONFIG_DEFAULT_SECURITY_APPARMOR=y
> +# CONFIG_DEFAULT_SECURITY_DAC is not set
> +CONFIG_DEFAULT_SECURITY="apparmor"
> +CONFIG_AUDIT_GENERIC=y
> diff --git a/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
> b/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
> new file mode 100644
> index 000..fc35740
> --- /dev/null
> +++ b/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
> @@ -0,0 +1 @@
> +CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>...
This and some of the other touched options are removed in kernel 5.1,
replaced with a different CONFIG_LSM mechanism.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-security][PATCH 3/4] linux-yocto: make bbappend version neutral
On 3/31/19 10:59 AM, Adrian Bunk wrote:
> On Sun, Mar 31, 2019 at 10:28:59AM -0700, Armin Kuster wrote:
>> update apparmor configs
>>
>> Signed-off-by: Armin Kuster
>> ---
>> recipes-kernel/linux/linux-yocto/apparmor.cfg| 12 +++-
>> .../linux/linux-yocto/apparmor_on_boot.cfg | 1 +
>> ...nux-yocto_4.%.bbappend => linux-yocto_%.bbappend} | 1 +
>> 3 files changed, 9 insertions(+), 5 deletions(-)
>> create mode 100644 recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
>> rename recipes-kernel/linux/{linux-yocto_4.%.bbappend =>
>> linux-yocto_%.bbappend} (78%)
>>
>> diff --git a/recipes-kernel/linux/linux-yocto/apparmor.cfg
>> b/recipes-kernel/linux/linux-yocto/apparmor.cfg
>> index 1dc4168..b5f9bb2 100644
>> --- a/recipes-kernel/linux/linux-yocto/apparmor.cfg
>> +++ b/recipes-kernel/linux/linux-yocto/apparmor.cfg
>> @@ -1,13 +1,15 @@
>> CONFIG_AUDIT=y
>> -CONFIG_AUDITSYSCALL=y
>> -CONFIG_AUDIT_WATCH=y
>> -CONFIG_AUDIT_TREE=y
>> # CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
>> +CONFIG_SECURITY_NETWORK=y
>> +# CONFIG_SECURITY_NETWORK_XFRM is not set
>> CONFIG_SECURITY_PATH=y
>> # CONFIG_SECURITY_SELINUX is not set
>> CONFIG_SECURITY_APPARMOR=y
>> -CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>> CONFIG_SECURITY_APPARMOR_HASH=y
>> CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
>> +# CONFIG_SECURITY_APPARMOR_DEBUG is not set
>> CONFIG_INTEGRITY_AUDIT=y
>> -# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
>> +CONFIG_DEFAULT_SECURITY_APPARMOR=y
>> +# CONFIG_DEFAULT_SECURITY_DAC is not set
>> +CONFIG_DEFAULT_SECURITY="apparmor"
>> +CONFIG_AUDIT_GENERIC=y
>> diff --git a/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
>> b/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
>> new file mode 100644
>> index 000..fc35740
>> --- /dev/null
>> +++ b/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
>> @@ -0,0 +1 @@
>> +CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>> ...
> This and some of the other touched options are removed in kernel 5.1,
> replaced with a different CONFIG_LSM mechanism.
Ah, 5.1... good point.. .
At some point I really should get these in the kernel-cache.
thanks for the review.
- armin
>
> cu
> Adrian
>
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][v2][PATCH] linux-yocto: make bbappend version neutral
update apparmor configs
[v2]
Just update configs.
leave versions intact.
Signed-off-by: Armin Kuster
---
recipes-kernel/linux/linux-yocto/apparmor.cfg| 12 +++-
.../linux/linux-yocto/apparmor_on_boot.cfg | 1 +
recipes-kernel/linux/linux-yocto_4.%.bbappend| 1 +
3 files changed, 9 insertions(+), 5 deletions(-)
create mode 100644 recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
diff --git a/recipes-kernel/linux/linux-yocto/apparmor.cfg
b/recipes-kernel/linux/linux-yocto/apparmor.cfg
index 1dc4168..b5f9bb2 100644
--- a/recipes-kernel/linux/linux-yocto/apparmor.cfg
+++ b/recipes-kernel/linux/linux-yocto/apparmor.cfg
@@ -1,13 +1,15 @@
CONFIG_AUDIT=y
-CONFIG_AUDITSYSCALL=y
-CONFIG_AUDIT_WATCH=y
-CONFIG_AUDIT_TREE=y
# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
+CONFIG_SECURITY_NETWORK=y
+# CONFIG_SECURITY_NETWORK_XFRM is not set
CONFIG_SECURITY_PATH=y
# CONFIG_SECURITY_SELINUX is not set
CONFIG_SECURITY_APPARMOR=y
-CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
+# CONFIG_SECURITY_APPARMOR_DEBUG is not set
CONFIG_INTEGRITY_AUDIT=y
-# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
+CONFIG_DEFAULT_SECURITY_APPARMOR=y
+# CONFIG_DEFAULT_SECURITY_DAC is not set
+CONFIG_DEFAULT_SECURITY="apparmor"
+CONFIG_AUDIT_GENERIC=y
diff --git a/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
b/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
new file mode 100644
index 000..fc35740
--- /dev/null
+++ b/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
@@ -0,0 +1 @@
+CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
diff --git a/recipes-kernel/linux/linux-yocto_4.%.bbappend
b/recipes-kernel/linux/linux-yocto_4.%.bbappend
index 067be8f..321392c 100644
--- a/recipes-kernel/linux/linux-yocto_4.%.bbappend
+++ b/recipes-kernel/linux/linux-yocto_4.%.bbappend
@@ -2,6 +2,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
SRC_URI += "\
${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', '
file://apparmor.cfg', '', d)} \
+${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', '
file://apparmor_on_boot.cfg', '', d)} \
"
SRC_URI += "\
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
