##// END OF EJS Templates
.
Unknown -
r499:831ef928e121
parent child
Show More
@@ -140,7 +140,7 if [ "$BUILD_KERNEL" = true ] ; then
140 set_kernel_config CONFIG_KEYS_COMPAT=y
140 set_kernel_config CONFIG_KEYS_COMPAT=y
141
141
142 # Apparmor
142 # Apparmor
143 set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 1
143 set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0
144 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y
144 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y
145 set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y
145 set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y
146 set_kernel_config CONFIG_SECURITY_APPARMOR y
146 set_kernel_config CONFIG_SECURITY_APPARMOR y
@@ -155,11 +155,35 if [ "$BUILD_KERNEL" = true ] ; then
155 set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y
155 set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y
156 set_kernel_config CONFIG_SECURITY_PATH=y
156 set_kernel_config CONFIG_SECURITY_PATH=y
157 set_kernel_config CONFIG_SECURITY_YAMA=y
157 set_kernel_config CONFIG_SECURITY_YAMA=y
158
159 # New Options
160 if [ "$KERNEL_NF" = true ]
161 set_kernel_config CONFIG_IP_NF_SECURITY m
162 set_kernel_config CONFIG_NETLABEL m
163 set_kernel_config CONFIG_IP6_NF_SECURITY m
164 fi
165 set_kernel_config CONFIG_SECURITY_SELINUX n
166 set_kernel_config CONFIG_SECURITY_SMACK n
167 set_kernel_config CONFIG_SECURITY_TOMOYO n
168 set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n
169 set_kernel_config CONFIG_SECURITY_LOADPIN n
170 set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n
171 set_kernel_config CONFIG_IMA n
172 set_kernel_config CONFIG_EVM n
173 set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y
174 set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y
175 set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y
176 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y
177 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y
178 set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y
179 set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y
180 set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n
158 fi
181 fi
159
182
160 # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406
183 # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406
161 if [ "$KERNEL_NF" = true ] ; then
184 if [ "$KERNEL_NF" = true ] ; then
162 set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m
185 set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m
186 set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m
163 set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m
187 set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m
164 set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m
188 set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m
165 set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m
189 set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m
@@ -183,6 +207,7 if [ "$BUILD_KERNEL" = true ] ; then
183 set_kernel_config CONFIG_IP6_NF_NAT m
207 set_kernel_config CONFIG_IP6_NF_NAT m
184 set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m
208 set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m
185 set_kernel_config CONFIG_IP6_NF_TARGET_NPT m
209 set_kernel_config CONFIG_IP6_NF_TARGET_NPT m
210 set_kernel_config CONFIG_IP_NF_SECURITY m
186 set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m
211 set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m
187 set_kernel_config CONFIG_IP_SET_BITMAP_PORT m
212 set_kernel_config CONFIG_IP_SET_BITMAP_PORT m
188 set_kernel_config CONFIG_IP_SET_HASH_IP m
213 set_kernel_config CONFIG_IP_SET_HASH_IP m
@@ -205,6 +205,9 else
205 CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4"
205 CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4"
206 fi
206 fi
207 fi
207 fi
208 if [ "$KERNEL_SECURITY" = true ] ; then
209 CMDLINE="${CMDLINE} apparmor=1 security=apparmor"
210 fi
208
211
209 # Install firmware boot cmdline
212 # Install firmware boot cmdline
210 echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt"
213 echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant