| @@ -369,6 +369,8 Enable Kernel Zswap support. Best use on high RAM load and mediocre CPU load use | |||
|
|
369 | 369 | ##### `KERNEL_BPF`=true |
|
|
370 | 370 | Allow attaching eBPF programs to a cgroup using the bpf syscall (CONFIG_BPF_SYSCALL CONFIG_CGROUP_BPF) [systemd compilations about it - File /lib/systemd/system/systemd-journald.server:36 configures an IP firewall (IPAddressDeny=all), but the local system does not support BPF/cgroup based firewalls] |
|
|
371 | 371 | |
|
|
372 | ##### `KERNEL_SECURITY`=false | |
|
|
373 | Enables Apparmor, integrity subsystem, auditing | |
|
|
372 | 374 | --- |
|
|
373 | 375 | |
|
|
374 | 376 | #### Reduce disk usage: |
| @@ -115,6 +115,48 if [ "$BUILD_KERNEL" = true ] ; then | |||
|
|
115 | 115 | set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y |
|
|
116 | 116 | fi |
|
|
117 | 117 | |
|
|
118 | # enable apparmor,integrity audit, | |
|
|
119 | if [ "$KERNEL_SECURITY" = true ] ; then | |
|
|
120 | ||
|
|
121 | # security filesystem, security models and audit | |
|
|
122 | set_kernel_config CONFIG_SECURITYFS y | |
|
|
123 | set_kernel_config CONFIG_SECURITY y | |
|
|
124 | set_kernel_config CONFIG_AUDIT y | |
|
|
125 | ||
|
|
126 | # harden strcpy and memcpy | |
|
|
127 | set_kernel_config CONFIG_HARDENED_USERCOPY=y | |
|
|
128 | set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y | |
|
|
129 | set_kernel_config CONFIG_FORTIFY_SOURCE=y | |
|
|
130 | ||
|
|
131 | # integrity sub-system | |
|
|
132 | set_kernel_config CONFIG_INTEGRITY=y | |
|
|
133 | set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y | |
|
|
134 | set_kernel_config CONFIG_INTEGRITY_AUDIT=y | |
|
|
135 | set_kernel_config CONFIG_INTEGRITY_SIGNATURE=y | |
|
|
136 | set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING=y | |
|
|
137 | ||
|
|
138 | # This option provides support for retaining authentication tokens and access keys in the kernel. | |
|
|
139 | set_kernel_config CONFIG_KEYS=y | |
|
|
140 | set_kernel_config CONFIG_KEYS_COMPAT=y | |
|
|
141 | ||
|
|
142 | # Apparmor | |
|
|
143 | set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 1 | |
|
|
144 | set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y | |
|
|
145 | set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y | |
|
|
146 | set_kernel_config CONFIG_SECURITY_APPARMOR y | |
|
|
147 | set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y | |
|
|
148 | set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor" | |
|
|
149 | ||
|
|
150 | # restrictions on unprivileged users reading the kernel | |
|
|
151 | set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT=y | |
|
|
152 | ||
|
|
153 | # network security hooks | |
|
|
154 | set_kernel_config CONFIG_SECURITY_NETWORK y | |
|
|
155 | set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y | |
|
|
156 | set_kernel_config CONFIG_SECURITY_PATH=y | |
|
|
157 | set_kernel_config CONFIG_SECURITY_YAMA=y | |
|
|
158 | fi | |
|
|
159 | ||
|
|
118 | 160 | # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406 |
|
|
119 | 161 | if [ "$KERNEL_NF" = true ] ; then |
|
|
120 | 162 | set_kernel_config CONFIG_IP_NF_TARGET_SYNPROXY m |
| @@ -184,6 +184,7 KERNEL_ZSWAP=${KERNEL_ZSWAP:=false} | |||
|
|
184 | 184 | KERNEL_VIRT=${KERNEL_VIRT:=false} |
|
|
185 | 185 | KERNEL_BPF=${KERNEL_BPF:=false} |
|
|
186 | 186 | KERNEL_DEFAULT_GOV=${KERNEL_DEFAULT_GOV:=powersave} |
|
|
187 | KERNEL_SECURITY=${KERNEL_SECURITY:=false} | |
|
|
187 | 188 | |
|
|
188 | 189 | # Kernel compilation from source directory settings |
|
|
189 | 190 | KERNELSRC_DIR=${KERNELSRC_DIR:=""} |
General Comments 0
Vous devez vous connecter pour laisser un commentaire.
Se connecter maintenant
