Raspi2-3_GenImage Commit - r497:f13e9b47cfc2 · Collaboration Tremplin des Sciences

apparmor

Unknown -

r497:f13e9b47cfc2

parent child

Context file:

r497:f13e9b47cfc2

Collapse all files

README.md +2 0

             ##### `KERNEL_BPF`=true
             Allow attaching eBPF programs to a cgroup using the bpf syscall (CONFIG_BPF_SYSCALL CONFIG_CGROUP_BPF) [systemd compilations about it - File /lib/systemd/system/systemd-journald.server:36 configures an IP firewall (IPAddressDeny=all), but the local system does not support BPF/cgroup based firewalls]
+            ##### `KERNEL_SECURITY`=false
+            Enables Apparmor, integrity subsystem, auditing
             ---
             #### Reduce disk usage:

bootstrap.d/13-kernel.sh +42 0

@@ -115,6 +115,48 if [ "$BUILD_KERNEL" = true ] ; then
115	set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y	115	set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y
116	fi	116	fi
117		117
		118	# enable apparmor,integrity audit,
		119	if [ "$KERNEL_SECURITY" = true ] ; then
		120
		121	# security filesystem, security models and audit
		122	set_kernel_config CONFIG_SECURITYFS y
		123	set_kernel_config CONFIG_SECURITY y
		124	set_kernel_config CONFIG_AUDIT y
		125
		126	# harden strcpy and memcpy
		127	set_kernel_config CONFIG_HARDENED_USERCOPY=y
		128	set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
		129	set_kernel_config CONFIG_FORTIFY_SOURCE=y
		130
		131	# integrity sub-system
		132	set_kernel_config CONFIG_INTEGRITY=y
		133	set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
		134	set_kernel_config CONFIG_INTEGRITY_AUDIT=y
		135	set_kernel_config CONFIG_INTEGRITY_SIGNATURE=y
		136	set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING=y
		137
		138	# This option provides support for retaining authentication tokens and access keys in the kernel.
		139	set_kernel_config CONFIG_KEYS=y
		140	set_kernel_config CONFIG_KEYS_COMPAT=y
		141
		142	# Apparmor
		143	set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 1
		144	set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y
		145	set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y
		146	set_kernel_config CONFIG_SECURITY_APPARMOR y
		147	set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y
		148	set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor"
		149
		150	# restrictions on unprivileged users reading the kernel
		151	set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT=y
		152
		153	# network security hooks
		154	set_kernel_config CONFIG_SECURITY_NETWORK y
		155	set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y
		156	set_kernel_config CONFIG_SECURITY_PATH=y
		157	set_kernel_config CONFIG_SECURITY_YAMA=y
		158	fi
		159
118	# Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406	160	# Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406
119	if [ "$KERNEL_NF" = true ] ; then	161	if [ "$KERNEL_NF" = true ] ; then
120	set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m	162	set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m

rpi23-gen-image.sh +1 0

             KERNEL_VIRT=${KERNEL_VIRT:=false}
             KERNEL_BPF=${KERNEL_BPF:=false}
             KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=powersave}
+            KERNEL_SECURITY=${KERNEL_SECURITY:=false}
             # Kernel compilation from source directory settings
             KERNELSRC_DIR=${KERNELSRC_DIR:=""}

General Comments 0

Écrire
Preview

Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Dépôts
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages