##// END OF EJS Templates
.
Unknown -
r499:831ef928e121
parent child
Show More
@@ -140,7 +140,7 if [ "$BUILD_KERNEL" = true ] ; then
140 140 set_kernel_config CONFIG_KEYS_COMPAT=y
141 141
142 142 # Apparmor
143 set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 1
143 set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0
144 144 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y
145 145 set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y
146 146 set_kernel_config CONFIG_SECURITY_APPARMOR y
@@ -155,11 +155,35 if [ "$BUILD_KERNEL" = true ] ; then
155 155 set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y
156 156 set_kernel_config CONFIG_SECURITY_PATH=y
157 157 set_kernel_config CONFIG_SECURITY_YAMA=y
158
159 # New Options
160 if [ "$KERNEL_NF" = true ]
161 set_kernel_config CONFIG_IP_NF_SECURITY m
162 set_kernel_config CONFIG_NETLABEL m
163 set_kernel_config CONFIG_IP6_NF_SECURITY m
164 fi
165 set_kernel_config CONFIG_SECURITY_SELINUX n
166 set_kernel_config CONFIG_SECURITY_SMACK n
167 set_kernel_config CONFIG_SECURITY_TOMOYO n
168 set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n
169 set_kernel_config CONFIG_SECURITY_LOADPIN n
170 set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n
171 set_kernel_config CONFIG_IMA n
172 set_kernel_config CONFIG_EVM n
173 set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y
174 set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y
175 set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y
176 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y
177 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y
178 set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y
179 set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y
180 set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n
158 181 fi
159 182
160 183 # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406
161 184 if [ "$KERNEL_NF" = true ] ; then
162 185 set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m
186 set_kernel_config CONFIG_NETFILTER_XT_TARGET_AUDIT m
163 187 set_kernel_config CONFIG_NETFILTER_XT_MATCH_CGROUP m
164 188 set_kernel_config CONFIG_NETFILTER_XT_MATCH_IPCOMP m
165 189 set_kernel_config CONFIG_NETFILTER_XT_MATCH_SOCKET m
@@ -183,6 +207,7 if [ "$BUILD_KERNEL" = true ] ; then
183 207 set_kernel_config CONFIG_IP6_NF_NAT m
184 208 set_kernel_config CONFIG_IP6_NF_TARGET_MASQUERADE m
185 209 set_kernel_config CONFIG_IP6_NF_TARGET_NPT m
210 set_kernel_config CONFIG_IP_NF_SECURITY m
186 211 set_kernel_config CONFIG_IP_SET_BITMAP_IPMAC m
187 212 set_kernel_config CONFIG_IP_SET_BITMAP_PORT m
188 213 set_kernel_config CONFIG_IP_SET_HASH_IP m
@@ -205,6 +205,9 else
205 205 CMDLINE="${CMDLINE} zswap.enabled=1 zswap.max_pool_percent=25 zswap.compressor=lz4"
206 206 fi
207 207 fi
208 if [ "$KERNEL_SECURITY" = true ] ; then
209 CMDLINE="${CMDLINE} apparmor=1 security=apparmor"
210 fi
208 211
209 212 # Install firmware boot cmdline
210 213 echo "${CMDLINE}" > "${BOOT_DIR}/cmdline.txt"
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant