* [meta-security][PATCH 1/4] apparmor: update to 2.13.2
@ 2019-03-31 17:28 Armin Kuster
2019-03-31 17:28 ` [meta-security][PATCH 2/4] apparmor: add basic runtime test Armin Kuster
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Armin Kuster @ 2019-03-31 17:28 UTC (permalink / raw)
To: yocto
Drop patch included in update:
tool-paths.patch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../{apparmor_2.12.bb => apparmor_2.13.2.bb} | 12 ++++--
recipes-mac/AppArmor/files/tool-paths.patch | 37 -------------------
2 files changed, 9 insertions(+), 40 deletions(-)
rename recipes-mac/AppArmor/{apparmor_2.12.bb => apparmor_2.13.2.bb} (91%)
delete mode 100644 recipes-mac/AppArmor/files/tool-paths.patch
diff --git a/recipes-mac/AppArmor/apparmor_2.12.bb b/recipes-mac/AppArmor/apparmor_2.13.2.bb
similarity index 91%
rename from recipes-mac/AppArmor/apparmor_2.12.bb
rename to recipes-mac/AppArmor/apparmor_2.13.2.bb
index efa93e6..62ed611 100644
--- a/recipes-mac/AppArmor/apparmor_2.12.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.2.bb
@@ -17,7 +17,6 @@ SRC_URI = " \
http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \
file://disable_perl_h_check.patch \
file://crosscompile_perl_bindings.patch \
- file://tool-paths.patch \
file://apparmor.rc \
file://functions \
file://apparmor \
@@ -25,8 +24,8 @@ SRC_URI = " \
file://run-ptest \
"
-SRC_URI[md5sum] = "49054f58042f8e51ea92cc866575a833"
-SRC_URI[sha256sum] = "8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056"
+SRC_URI[md5sum] = "2439b35266b5a3a461b0a2dba6e863c3"
+SRC_URI[sha256sum] = "844def9926dfda5c7858428d06e44afc80573f9706458b6e7282edbb40b11a30"
PARALLEL_MAKE = ""
@@ -60,6 +59,13 @@ do_configure() {
}
do_compile () {
+ # Fixes:
+ # | sed -ie 's///g' Makefile.perl
+ # | sed: -e expression #1, char 0: no previous regular expression
+ #| Makefile:478: recipe for target 'Makefile.perl' failed
+ sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile
+
+
oe_runmake -C ${B}/libraries/libapparmor
oe_runmake -C ${B}/binutils
oe_runmake -C ${B}/utils
diff --git a/recipes-mac/AppArmor/files/tool-paths.patch b/recipes-mac/AppArmor/files/tool-paths.patch
deleted file mode 100644
index aaf08da..0000000
--- a/recipes-mac/AppArmor/files/tool-paths.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-From e7edd937adcbf1b3c8d38a31de5bacb2029b1965 Mon Sep 17 00:00:00 2001
-From: John Johansen <john.johansen@canonical.com>
-Date: Thu, 4 Oct 2018 23:15:28 -0700
-Subject: [PATCH] parser: fix Makefile hardcoded paths to flex and bison
-
-The hardcoded paths for flex and python can break builds on systems
-where those tools are stored in an alternate location. Use which
-to lookup where flex and bison are available.
-
-This fixes issue #4
-
-Signed-off-by: John Johansen <john.johansen@canonical.com>
----
- parser/Makefile | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/parser/Makefile b/parser/Makefile
-index 4d370c36..015c218d 100644
---- a/parser/Makefile
-+++ b/parser/Makefile
-@@ -27,9 +27,9 @@ INSTALL_CONFDIR=${DESTDIR}${CONFDIR}
- LOCALEDIR=/usr/share/locale
- MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 subdomain.conf.5
-
--YACC := /usr/bin/bison
-+YACC := bison
- YFLAGS := -d
--LEX := /usr/bin/flex
-+LEX := flex
- LEXFLAGS = -B -v
- WARNINGS = -Wall
- EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter
---
-2.11.0
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [meta-security][PATCH 2/4] apparmor: add basic runtime test
2019-03-31 17:28 [meta-security][PATCH 1/4] apparmor: update to 2.13.2 Armin Kuster
@ 2019-03-31 17:28 ` Armin Kuster
2019-03-31 17:28 ` [meta-security][PATCH 3/4] linux-yocto: make bbappend version neutral Armin Kuster
2019-03-31 17:29 ` [meta-security][PATCH 4/4] linux-stable: add support for stable kernel bbappends Armin Kuster
2 siblings, 0 replies; 7+ messages in thread
From: Armin Kuster @ 2019-03-31 17:28 UTC (permalink / raw)
To: yocto
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
lib/oeqa/runtime/cases/apparmor.py | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
create mode 100644 lib/oeqa/runtime/cases/apparmor.py
diff --git a/lib/oeqa/runtime/cases/apparmor.py b/lib/oeqa/runtime/cases/apparmor.py
new file mode 100644
index 0000000..e2cb316
--- /dev/null
+++ b/lib/oeqa/runtime/cases/apparmor.py
@@ -0,0 +1,27 @@
+# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+
+class ApparmorTest(OERuntimeTestCase):
+
+ @OEHasPackage(['apparmor'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_apparmor_help(self):
+ status, output = self.target.run('aa-status --help')
+ msg = ('apparmor command does not work as expected. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['apparmor.ApparmorTest.test_apparmor_help'])
+ def test_apparmor_aa_status(self):
+ status, output = self.target.run('aa-status')
+ match = re.search('apparmor module is loaded.', output)
+ if not match:
+ msg = ('aa-status failed. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [meta-security][PATCH 3/4] linux-yocto: make bbappend version neutral
2019-03-31 17:28 [meta-security][PATCH 1/4] apparmor: update to 2.13.2 Armin Kuster
2019-03-31 17:28 ` [meta-security][PATCH 2/4] apparmor: add basic runtime test Armin Kuster
@ 2019-03-31 17:28 ` Armin Kuster
2019-03-31 17:59 ` Adrian Bunk
2019-03-31 17:29 ` [meta-security][PATCH 4/4] linux-stable: add support for stable kernel bbappends Armin Kuster
2 siblings, 1 reply; 7+ messages in thread
From: Armin Kuster @ 2019-03-31 17:28 UTC (permalink / raw)
To: yocto
update apparmor configs
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
recipes-kernel/linux/linux-yocto/apparmor.cfg | 12 +++++++-----
.../linux/linux-yocto/apparmor_on_boot.cfg | 1 +
...nux-yocto_4.%.bbappend => linux-yocto_%.bbappend} | 1 +
3 files changed, 9 insertions(+), 5 deletions(-)
create mode 100644 recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
rename recipes-kernel/linux/{linux-yocto_4.%.bbappend => linux-yocto_%.bbappend} (78%)
diff --git a/recipes-kernel/linux/linux-yocto/apparmor.cfg b/recipes-kernel/linux/linux-yocto/apparmor.cfg
index 1dc4168..b5f9bb2 100644
--- a/recipes-kernel/linux/linux-yocto/apparmor.cfg
+++ b/recipes-kernel/linux/linux-yocto/apparmor.cfg
@@ -1,13 +1,15 @@
CONFIG_AUDIT=y
-CONFIG_AUDITSYSCALL=y
-CONFIG_AUDIT_WATCH=y
-CONFIG_AUDIT_TREE=y
# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
+CONFIG_SECURITY_NETWORK=y
+# CONFIG_SECURITY_NETWORK_XFRM is not set
CONFIG_SECURITY_PATH=y
# CONFIG_SECURITY_SELINUX is not set
CONFIG_SECURITY_APPARMOR=y
-CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
+# CONFIG_SECURITY_APPARMOR_DEBUG is not set
CONFIG_INTEGRITY_AUDIT=y
-# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
+CONFIG_DEFAULT_SECURITY_APPARMOR=y
+# CONFIG_DEFAULT_SECURITY_DAC is not set
+CONFIG_DEFAULT_SECURITY="apparmor"
+CONFIG_AUDIT_GENERIC=y
diff --git a/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg b/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
new file mode 100644
index 0000000..fc35740
--- /dev/null
+++ b/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
@@ -0,0 +1 @@
+CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
diff --git a/recipes-kernel/linux/linux-yocto_4.%.bbappend b/recipes-kernel/linux/linux-yocto_%.bbappend
similarity index 78%
rename from recipes-kernel/linux/linux-yocto_4.%.bbappend
rename to recipes-kernel/linux/linux-yocto_%.bbappend
index 067be8f..321392c 100644
--- a/recipes-kernel/linux/linux-yocto_4.%.bbappend
+++ b/recipes-kernel/linux/linux-yocto_%.bbappend
@@ -2,6 +2,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
SRC_URI += "\
${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor_on_boot.cfg', '', d)} \
"
SRC_URI += "\
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [meta-security][PATCH 4/4] linux-stable: add support for stable kernel bbappends
2019-03-31 17:28 [meta-security][PATCH 1/4] apparmor: update to 2.13.2 Armin Kuster
2019-03-31 17:28 ` [meta-security][PATCH 2/4] apparmor: add basic runtime test Armin Kuster
2019-03-31 17:28 ` [meta-security][PATCH 3/4] linux-yocto: make bbappend version neutral Armin Kuster
@ 2019-03-31 17:29 ` Armin Kuster
2019-03-31 17:41 ` akuster808
2 siblings, 1 reply; 7+ messages in thread
From: Armin Kuster @ 2019-03-31 17:29 UTC (permalink / raw)
To: yocto
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
recipes-kernel/linux/linux-stable/apparmor.cfg | 15 +++++++++++++++
.../linux/linux-stable/apparmor_on_boot.cfg | 1 +
.../linux/linux-stable/smack-default-lsm.cfg | 2 ++
recipes-kernel/linux/linux-stable/smack.cfg | 8 ++++++++
recipes-kernel/linux/linux-stable_%.bbappend | 11 +++++++++++
5 files changed, 37 insertions(+)
create mode 100644 recipes-kernel/linux/linux-stable/apparmor.cfg
create mode 100644 recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg
create mode 100644 recipes-kernel/linux/linux-stable/smack-default-lsm.cfg
create mode 100644 recipes-kernel/linux/linux-stable/smack.cfg
create mode 100644 recipes-kernel/linux/linux-stable_%.bbappend
diff --git a/recipes-kernel/linux/linux-stable/apparmor.cfg b/recipes-kernel/linux/linux-stable/apparmor.cfg
new file mode 100644
index 0000000..b5f9bb2
--- /dev/null
+++ b/recipes-kernel/linux/linux-stable/apparmor.cfg
@@ -0,0 +1,15 @@
+CONFIG_AUDIT=y
+# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
+CONFIG_SECURITY_NETWORK=y
+# CONFIG_SECURITY_NETWORK_XFRM is not set
+CONFIG_SECURITY_PATH=y
+# CONFIG_SECURITY_SELINUX is not set
+CONFIG_SECURITY_APPARMOR=y
+CONFIG_SECURITY_APPARMOR_HASH=y
+CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
+# CONFIG_SECURITY_APPARMOR_DEBUG is not set
+CONFIG_INTEGRITY_AUDIT=y
+CONFIG_DEFAULT_SECURITY_APPARMOR=y
+# CONFIG_DEFAULT_SECURITY_DAC is not set
+CONFIG_DEFAULT_SECURITY="apparmor"
+CONFIG_AUDIT_GENERIC=y
diff --git a/recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg b/recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg
new file mode 100644
index 0000000..fc35740
--- /dev/null
+++ b/recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg
@@ -0,0 +1 @@
+CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
diff --git a/recipes-kernel/linux/linux-stable/smack-default-lsm.cfg b/recipes-kernel/linux/linux-stable/smack-default-lsm.cfg
new file mode 100644
index 0000000..b5c4845
--- /dev/null
+++ b/recipes-kernel/linux/linux-stable/smack-default-lsm.cfg
@@ -0,0 +1,2 @@
+CONFIG_DEFAULT_SECURITY="smack"
+CONFIG_DEFAULT_SECURITY_SMACK=y
diff --git a/recipes-kernel/linux/linux-stable/smack.cfg b/recipes-kernel/linux/linux-stable/smack.cfg
new file mode 100644
index 0000000..62f465a
--- /dev/null
+++ b/recipes-kernel/linux/linux-stable/smack.cfg
@@ -0,0 +1,8 @@
+CONFIG_IP_NF_SECURITY=m
+CONFIG_IP6_NF_SECURITY=m
+CONFIG_EXT2_FS_SECURITY=y
+CONFIG_EXT3_FS_SECURITY=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_SECURITY=y
+CONFIG_SECURITY_SMACK=y
+CONFIG_TMPFS_XATTR=y
diff --git a/recipes-kernel/linux/linux-stable_%.bbappend b/recipes-kernel/linux/linux-stable_%.bbappend
new file mode 100644
index 0000000..321392c
--- /dev/null
+++ b/recipes-kernel/linux/linux-stable_%.bbappend
@@ -0,0 +1,11 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "\
+ ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor_on_boot.cfg', '', d)} \
+"
+
+SRC_URI += "\
+ ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg', '', d)} \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack-default-lsm.cfg', '', d)} \
+"
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [meta-security][PATCH 4/4] linux-stable: add support for stable kernel bbappends
2019-03-31 17:29 ` [meta-security][PATCH 4/4] linux-stable: add support for stable kernel bbappends Armin Kuster
@ 2019-03-31 17:41 ` akuster808
0 siblings, 0 replies; 7+ messages in thread
From: akuster808 @ 2019-03-31 17:41 UTC (permalink / raw)
To: Armin Kuster, yocto
not goint to work.
dropping
On 3/31/19 10:29 AM, Armin Kuster wrote:
> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> ---
> recipes-kernel/linux/linux-stable/apparmor.cfg | 15 +++++++++++++++
> .../linux/linux-stable/apparmor_on_boot.cfg | 1 +
> .../linux/linux-stable/smack-default-lsm.cfg | 2 ++
> recipes-kernel/linux/linux-stable/smack.cfg | 8 ++++++++
> recipes-kernel/linux/linux-stable_%.bbappend | 11 +++++++++++
> 5 files changed, 37 insertions(+)
> create mode 100644 recipes-kernel/linux/linux-stable/apparmor.cfg
> create mode 100644 recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg
> create mode 100644 recipes-kernel/linux/linux-stable/smack-default-lsm.cfg
> create mode 100644 recipes-kernel/linux/linux-stable/smack.cfg
> create mode 100644 recipes-kernel/linux/linux-stable_%.bbappend
>
> diff --git a/recipes-kernel/linux/linux-stable/apparmor.cfg b/recipes-kernel/linux/linux-stable/apparmor.cfg
> new file mode 100644
> index 0000000..b5f9bb2
> --- /dev/null
> +++ b/recipes-kernel/linux/linux-stable/apparmor.cfg
> @@ -0,0 +1,15 @@
> +CONFIG_AUDIT=y
> +# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
> +CONFIG_SECURITY_NETWORK=y
> +# CONFIG_SECURITY_NETWORK_XFRM is not set
> +CONFIG_SECURITY_PATH=y
> +# CONFIG_SECURITY_SELINUX is not set
> +CONFIG_SECURITY_APPARMOR=y
> +CONFIG_SECURITY_APPARMOR_HASH=y
> +CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
> +# CONFIG_SECURITY_APPARMOR_DEBUG is not set
> +CONFIG_INTEGRITY_AUDIT=y
> +CONFIG_DEFAULT_SECURITY_APPARMOR=y
> +# CONFIG_DEFAULT_SECURITY_DAC is not set
> +CONFIG_DEFAULT_SECURITY="apparmor"
> +CONFIG_AUDIT_GENERIC=y
> diff --git a/recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg b/recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg
> new file mode 100644
> index 0000000..fc35740
> --- /dev/null
> +++ b/recipes-kernel/linux/linux-stable/apparmor_on_boot.cfg
> @@ -0,0 +1 @@
> +CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
> diff --git a/recipes-kernel/linux/linux-stable/smack-default-lsm.cfg b/recipes-kernel/linux/linux-stable/smack-default-lsm.cfg
> new file mode 100644
> index 0000000..b5c4845
> --- /dev/null
> +++ b/recipes-kernel/linux/linux-stable/smack-default-lsm.cfg
> @@ -0,0 +1,2 @@
> +CONFIG_DEFAULT_SECURITY="smack"
> +CONFIG_DEFAULT_SECURITY_SMACK=y
> diff --git a/recipes-kernel/linux/linux-stable/smack.cfg b/recipes-kernel/linux/linux-stable/smack.cfg
> new file mode 100644
> index 0000000..62f465a
> --- /dev/null
> +++ b/recipes-kernel/linux/linux-stable/smack.cfg
> @@ -0,0 +1,8 @@
> +CONFIG_IP_NF_SECURITY=m
> +CONFIG_IP6_NF_SECURITY=m
> +CONFIG_EXT2_FS_SECURITY=y
> +CONFIG_EXT3_FS_SECURITY=y
> +CONFIG_EXT4_FS_SECURITY=y
> +CONFIG_SECURITY=y
> +CONFIG_SECURITY_SMACK=y
> +CONFIG_TMPFS_XATTR=y
> diff --git a/recipes-kernel/linux/linux-stable_%.bbappend b/recipes-kernel/linux/linux-stable_%.bbappend
> new file mode 100644
> index 0000000..321392c
> --- /dev/null
> +++ b/recipes-kernel/linux/linux-stable_%.bbappend
> @@ -0,0 +1,11 @@
> +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
> +
> +SRC_URI += "\
> + ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \
> + ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor_on_boot.cfg', '', d)} \
> +"
> +
> +SRC_URI += "\
> + ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg', '', d)} \
> + ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack-default-lsm.cfg', '', d)} \
> +"
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [meta-security][PATCH 3/4] linux-yocto: make bbappend version neutral
2019-03-31 17:28 ` [meta-security][PATCH 3/4] linux-yocto: make bbappend version neutral Armin Kuster
@ 2019-03-31 17:59 ` Adrian Bunk
2019-03-31 19:35 ` akuster808
0 siblings, 1 reply; 7+ messages in thread
From: Adrian Bunk @ 2019-03-31 17:59 UTC (permalink / raw)
To: Armin Kuster; +Cc: yocto
On Sun, Mar 31, 2019 at 10:28:59AM -0700, Armin Kuster wrote:
> update apparmor configs
>
> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> ---
> recipes-kernel/linux/linux-yocto/apparmor.cfg | 12 +++++++-----
> .../linux/linux-yocto/apparmor_on_boot.cfg | 1 +
> ...nux-yocto_4.%.bbappend => linux-yocto_%.bbappend} | 1 +
> 3 files changed, 9 insertions(+), 5 deletions(-)
> create mode 100644 recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
> rename recipes-kernel/linux/{linux-yocto_4.%.bbappend => linux-yocto_%.bbappend} (78%)
>
> diff --git a/recipes-kernel/linux/linux-yocto/apparmor.cfg b/recipes-kernel/linux/linux-yocto/apparmor.cfg
> index 1dc4168..b5f9bb2 100644
> --- a/recipes-kernel/linux/linux-yocto/apparmor.cfg
> +++ b/recipes-kernel/linux/linux-yocto/apparmor.cfg
> @@ -1,13 +1,15 @@
> CONFIG_AUDIT=y
> -CONFIG_AUDITSYSCALL=y
> -CONFIG_AUDIT_WATCH=y
> -CONFIG_AUDIT_TREE=y
> # CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
> +CONFIG_SECURITY_NETWORK=y
> +# CONFIG_SECURITY_NETWORK_XFRM is not set
> CONFIG_SECURITY_PATH=y
> # CONFIG_SECURITY_SELINUX is not set
> CONFIG_SECURITY_APPARMOR=y
> -CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
> CONFIG_SECURITY_APPARMOR_HASH=y
> CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
> +# CONFIG_SECURITY_APPARMOR_DEBUG is not set
> CONFIG_INTEGRITY_AUDIT=y
> -# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
> +CONFIG_DEFAULT_SECURITY_APPARMOR=y
> +# CONFIG_DEFAULT_SECURITY_DAC is not set
> +CONFIG_DEFAULT_SECURITY="apparmor"
> +CONFIG_AUDIT_GENERIC=y
> diff --git a/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg b/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
> new file mode 100644
> index 0000000..fc35740
> --- /dev/null
> +++ b/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
> @@ -0,0 +1 @@
> +CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>...
This and some of the other touched options are removed in kernel 5.1,
replaced with a different CONFIG_LSM mechanism.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [meta-security][PATCH 3/4] linux-yocto: make bbappend version neutral
2019-03-31 17:59 ` Adrian Bunk
@ 2019-03-31 19:35 ` akuster808
0 siblings, 0 replies; 7+ messages in thread
From: akuster808 @ 2019-03-31 19:35 UTC (permalink / raw)
To: Adrian Bunk; +Cc: yocto
On 3/31/19 10:59 AM, Adrian Bunk wrote:
> On Sun, Mar 31, 2019 at 10:28:59AM -0700, Armin Kuster wrote:
>> update apparmor configs
>>
>> Signed-off-by: Armin Kuster <akuster808@gmail.com>
>> ---
>> recipes-kernel/linux/linux-yocto/apparmor.cfg | 12 +++++++-----
>> .../linux/linux-yocto/apparmor_on_boot.cfg | 1 +
>> ...nux-yocto_4.%.bbappend => linux-yocto_%.bbappend} | 1 +
>> 3 files changed, 9 insertions(+), 5 deletions(-)
>> create mode 100644 recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
>> rename recipes-kernel/linux/{linux-yocto_4.%.bbappend => linux-yocto_%.bbappend} (78%)
>>
>> diff --git a/recipes-kernel/linux/linux-yocto/apparmor.cfg b/recipes-kernel/linux/linux-yocto/apparmor.cfg
>> index 1dc4168..b5f9bb2 100644
>> --- a/recipes-kernel/linux/linux-yocto/apparmor.cfg
>> +++ b/recipes-kernel/linux/linux-yocto/apparmor.cfg
>> @@ -1,13 +1,15 @@
>> CONFIG_AUDIT=y
>> -CONFIG_AUDITSYSCALL=y
>> -CONFIG_AUDIT_WATCH=y
>> -CONFIG_AUDIT_TREE=y
>> # CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
>> +CONFIG_SECURITY_NETWORK=y
>> +# CONFIG_SECURITY_NETWORK_XFRM is not set
>> CONFIG_SECURITY_PATH=y
>> # CONFIG_SECURITY_SELINUX is not set
>> CONFIG_SECURITY_APPARMOR=y
>> -CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>> CONFIG_SECURITY_APPARMOR_HASH=y
>> CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
>> +# CONFIG_SECURITY_APPARMOR_DEBUG is not set
>> CONFIG_INTEGRITY_AUDIT=y
>> -# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
>> +CONFIG_DEFAULT_SECURITY_APPARMOR=y
>> +# CONFIG_DEFAULT_SECURITY_DAC is not set
>> +CONFIG_DEFAULT_SECURITY="apparmor"
>> +CONFIG_AUDIT_GENERIC=y
>> diff --git a/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg b/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
>> new file mode 100644
>> index 0000000..fc35740
>> --- /dev/null
>> +++ b/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg
>> @@ -0,0 +1 @@
>> +CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
>> ...
> This and some of the other touched options are removed in kernel 5.1,
> replaced with a different CONFIG_LSM mechanism.
Ah, 5.1... good point.. .
At some point I really should get these in the kernel-cache.
thanks for the review.
- armin
>
> cu
> Adrian
>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-03-31 19:35 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-03-31 17:28 [meta-security][PATCH 1/4] apparmor: update to 2.13.2 Armin Kuster
2019-03-31 17:28 ` [meta-security][PATCH 2/4] apparmor: add basic runtime test Armin Kuster
2019-03-31 17:28 ` [meta-security][PATCH 3/4] linux-yocto: make bbappend version neutral Armin Kuster
2019-03-31 17:59 ` Adrian Bunk
2019-03-31 19:35 ` akuster808
2019-03-31 17:29 ` [meta-security][PATCH 4/4] linux-stable: add support for stable kernel bbappends Armin Kuster
2019-03-31 17:41 ` akuster808
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.