From f13e9b47cfc27a3a40d68573202f34caadc9cba9 2018-12-04 13:35:42 From: Unknown Date: 2018-12-04 13:35:42 Subject: [PATCH] apparmor --- diff --git a/README.md b/README.md index 9b2cf20..d322e0c 100644 --- a/README.md +++ b/README.md @@ -369,6 +369,8 @@ Enable Kernel Zswap support. Best use on high RAM load and mediocre CPU load use ##### `KERNEL_BPF`=true Allow attaching eBPF programs to a cgroup using the bpf syscall (CONFIG_BPF_SYSCALL CONFIG_CGROUP_BPF) [systemd compilations about it - File /lib/systemd/system/systemd-journald.server:36 configures an IP firewall (IPAddressDeny=all), but the local system does not support BPF/cgroup based firewalls] +##### `KERNEL_SECURITY`=false +Enables Apparmor, integrity subsystem, auditing --- #### Reduce disk usage: diff --git a/bootstrap.d/13-kernel.sh b/bootstrap.d/13-kernel.sh index f088036..67decc6 100644 --- a/bootstrap.d/13-kernel.sh +++ b/bootstrap.d/13-kernel.sh @@ -115,6 +115,48 @@ if [ "$BUILD_KERNEL" = true ] ; then set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y fi + # enable apparmor,integrity audit, + if [ "$KERNEL_SECURITY" = true ] ; then + + # security filesystem, security models and audit + set_kernel_config CONFIG_SECURITYFS y + set_kernel_config CONFIG_SECURITY y + set_kernel_config CONFIG_AUDIT y + + # harden strcpy and memcpy + set_kernel_config CONFIG_HARDENED_USERCOPY=y + set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y + set_kernel_config CONFIG_FORTIFY_SOURCE=y + + # integrity sub-system + set_kernel_config CONFIG_INTEGRITY=y + set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y + set_kernel_config CONFIG_INTEGRITY_AUDIT=y + set_kernel_config CONFIG_INTEGRITY_SIGNATURE=y + set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING=y + + # This option provides support for retaining authentication tokens and access keys in the kernel. + set_kernel_config CONFIG_KEYS=y + set_kernel_config CONFIG_KEYS_COMPAT=y + + # Apparmor + set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 1 + set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y + set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y + set_kernel_config CONFIG_SECURITY_APPARMOR y + set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y + set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor" + + # restrictions on unprivileged users reading the kernel + set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT=y + + # network security hooks + set_kernel_config CONFIG_SECURITY_NETWORK y + set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y + set_kernel_config CONFIG_SECURITY_PATH=y + set_kernel_config CONFIG_SECURITY_YAMA=y + fi + # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406 if [ "$KERNEL_NF" = true ] ; then set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m diff --git a/rpi23-gen-image.sh b/rpi23-gen-image.sh index 7dca724..1ef5adf 100755 --- a/rpi23-gen-image.sh +++ b/rpi23-gen-image.sh @@ -184,6 +184,7 @@ KERNEL_ZSWAP=${KERNEL_ZSWAP:=false} KERNEL_VIRT=${KERNEL_VIRT:=false} KERNEL_BPF=${KERNEL_BPF:=false} KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=powersave} +KERNEL_SECURITY=${KERNEL_SECURITY:=false} # Kernel compilation from source directory settings KERNELSRC_DIR=${KERNELSRC_DIR:=""}