Browse Source

Enable apparmor in-kernel.

parazyd 1 year ago
parent
commit
f37af45929
3 changed files with 56 additions and 4 deletions
  1. 3 0
      config
  2. 26 2
      extra/heads-amd64.config
  3. 27 2
      extra/heads-i386.config

+ 3 - 0
config

@@ -74,6 +74,8 @@ extra_packages=(
74 74
 	strace
75 75
 	acl
76 76
 	gradm2
77
+	apparmor
78
+	python3-apparmor
77 79
 
78 80
 	gnupg2
79 81
 	dirmngr
@@ -89,6 +91,7 @@ extra_packages=(
89 91
 	qrencode
90 92
 
91 93
 	tor
94
+	nyx
92 95
 	apt-transport-tor
93 96
 	apt-transport-https
94 97
 	tsocks

+ 26 - 2
extra/heads-amd64.config

@@ -76,8 +76,11 @@ CONFIG_POSIX_MQUEUE=y
76 76
 CONFIG_POSIX_MQUEUE_SYSCTL=y
77 77
 CONFIG_CROSS_MEMORY_ATTACH=y
78 78
 # CONFIG_FHANDLE is not set
79
-# CONFIG_AUDIT is not set
79
+CONFIG_AUDIT=y
80 80
 CONFIG_HAVE_ARCH_AUDITSYSCALL=y
81
+CONFIG_AUDITSYSCALL=y
82
+CONFIG_AUDIT_WATCH=y
83
+CONFIG_AUDIT_TREE=y
81 84
 
82 85
 #
83 86
 # IRQ subsystem
@@ -838,6 +841,7 @@ CONFIG_IPV6_SUBTREES=y
838 841
 CONFIG_IPV6_MROUTE=y
839 842
 CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
840 843
 CONFIG_IPV6_PIMSM_V2=y
844
+# CONFIG_NETLABEL is not set
841 845
 CONFIG_NETWORK_SECMARK=y
842 846
 CONFIG_NET_PTP_CLASSIFY=y
843 847
 CONFIG_NETWORK_PHY_TIMESTAMPING=y
@@ -931,6 +935,7 @@ CONFIG_NETFILTER_XT_SET=m
931 935
 #
932 936
 # Xtables targets
933 937
 #
938
+# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
934 939
 CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
935 940
 CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
936 941
 CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
@@ -1107,6 +1112,7 @@ CONFIG_IP_NF_TARGET_CLUSTERIP=m
1107 1112
 CONFIG_IP_NF_TARGET_ECN=m
1108 1113
 CONFIG_IP_NF_TARGET_TTL=m
1109 1114
 CONFIG_IP_NF_RAW=m
1115
+# CONFIG_IP_NF_SECURITY is not set
1110 1116
 CONFIG_IP_NF_ARPTABLES=m
1111 1117
 CONFIG_IP_NF_ARPFILTER=m
1112 1118
 CONFIG_IP_NF_ARP_MANGLE=m
@@ -1144,6 +1150,7 @@ CONFIG_IP6_NF_TARGET_REJECT=m
1144 1150
 CONFIG_IP6_NF_TARGET_SYNPROXY=m
1145 1151
 CONFIG_IP6_NF_MANGLE=m
1146 1152
 CONFIG_IP6_NF_RAW=m
1153
+# CONFIG_IP6_NF_SECURITY is not set
1147 1154
 CONFIG_IP6_NF_NAT=m
1148 1155
 CONFIG_IP6_NF_TARGET_MASQUERADE=m
1149 1156
 CONFIG_IP6_NF_TARGET_NPT=m
@@ -6372,11 +6379,28 @@ CONFIG_KEYS_COMPAT=y
6372 6379
 # CONFIG_ENCRYPTED_KEYS is not set
6373 6380
 # CONFIG_KEY_DH_OPERATIONS is not set
6374 6381
 # CONFIG_SECURITY_DMESG_RESTRICT is not set
6375
-# CONFIG_SECURITY is not set
6382
+CONFIG_SECURITY=y
6376 6383
 CONFIG_SECURITYFS=y
6384
+CONFIG_SECURITY_NETWORK=y
6385
+# CONFIG_SECURITY_NETWORK_XFRM is not set
6386
+CONFIG_SECURITY_PATH=y
6377 6387
 # CONFIG_INTEL_TXT is not set
6378 6388
 CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
6379 6389
 CONFIG_HARDENED_USERCOPY=y
6390
+# CONFIG_SECURITY_SELINUX is not set
6391
+# CONFIG_SECURITY_SMACK is not set
6392
+# CONFIG_SECURITY_TOMOYO is not set
6393
+CONFIG_SECURITY_APPARMOR=y
6394
+CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
6395
+CONFIG_SECURITY_APPARMOR_HASH=y
6396
+CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
6397
+# CONFIG_SECURITY_LOADPIN is not set
6398
+CONFIG_INTEGRITY=y
6399
+# CONFIG_INTEGRITY_SIGNATURE is not set
6400
+CONFIG_INTEGRITY_AUDIT=y
6401
+# CONFIG_IMA is not set
6402
+# CONFIG_EVM is not set
6403
+# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
6380 6404
 CONFIG_DEFAULT_SECURITY_DAC=y
6381 6405
 CONFIG_DEFAULT_SECURITY=""
6382 6406
 CONFIG_XOR_BLOCKS=y

+ 27 - 2
extra/heads-i386.config

@@ -73,8 +73,11 @@ CONFIG_POSIX_MQUEUE=y
73 73
 CONFIG_POSIX_MQUEUE_SYSCTL=y
74 74
 CONFIG_CROSS_MEMORY_ATTACH=y
75 75
 # CONFIG_FHANDLE is not set
76
-# CONFIG_AUDIT is not set
76
+CONFIG_AUDIT=y
77 77
 CONFIG_HAVE_ARCH_AUDITSYSCALL=y
78
+CONFIG_AUDITSYSCALL=y
79
+CONFIG_AUDIT_WATCH=y
80
+CONFIG_AUDIT_TREE=y
78 81
 
79 82
 #
80 83
 # IRQ subsystem
@@ -856,6 +859,7 @@ CONFIG_IPV6_SUBTREES=y
856 859
 CONFIG_IPV6_MROUTE=y
857 860
 CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
858 861
 CONFIG_IPV6_PIMSM_V2=y
862
+# CONFIG_NETLABEL is not set
859 863
 CONFIG_NETWORK_SECMARK=y
860 864
 CONFIG_NET_PTP_CLASSIFY=y
861 865
 CONFIG_NETWORK_PHY_TIMESTAMPING=y
@@ -949,6 +953,7 @@ CONFIG_NETFILTER_XT_SET=m
949 953
 #
950 954
 # Xtables targets
951 955
 #
956
+# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
952 957
 CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
953 958
 CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
954 959
 CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
@@ -1125,6 +1130,7 @@ CONFIG_IP_NF_TARGET_CLUSTERIP=m
1125 1130
 CONFIG_IP_NF_TARGET_ECN=m
1126 1131
 CONFIG_IP_NF_TARGET_TTL=m
1127 1132
 CONFIG_IP_NF_RAW=m
1133
+# CONFIG_IP_NF_SECURITY is not set
1128 1134
 CONFIG_IP_NF_ARPTABLES=m
1129 1135
 CONFIG_IP_NF_ARPFILTER=m
1130 1136
 CONFIG_IP_NF_ARP_MANGLE=m
@@ -1162,6 +1168,7 @@ CONFIG_IP6_NF_TARGET_REJECT=m
1162 1168
 CONFIG_IP6_NF_TARGET_SYNPROXY=m
1163 1169
 CONFIG_IP6_NF_MANGLE=m
1164 1170
 CONFIG_IP6_NF_RAW=m
1171
+# CONFIG_IP6_NF_SECURITY is not set
1165 1172
 CONFIG_IP6_NF_NAT=m
1166 1173
 CONFIG_IP6_NF_TARGET_MASQUERADE=m
1167 1174
 CONFIG_IP6_NF_TARGET_NPT=m
@@ -6385,11 +6392,28 @@ CONFIG_KEYS=y
6385 6392
 # CONFIG_ENCRYPTED_KEYS is not set
6386 6393
 # CONFIG_KEY_DH_OPERATIONS is not set
6387 6394
 # CONFIG_SECURITY_DMESG_RESTRICT is not set
6388
-# CONFIG_SECURITY is not set
6395
+CONFIG_SECURITY=y
6389 6396
 CONFIG_SECURITYFS=y
6397
+CONFIG_SECURITY_NETWORK=y
6398
+# CONFIG_SECURITY_NETWORK_XFRM is not set
6399
+CONFIG_SECURITY_PATH=y
6390 6400
 # CONFIG_INTEL_TXT is not set
6391 6401
 CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
6392 6402
 CONFIG_HARDENED_USERCOPY=y
6403
+# CONFIG_SECURITY_SELINUX is not set
6404
+# CONFIG_SECURITY_SMACK is not set
6405
+# CONFIG_SECURITY_TOMOYO is not set
6406
+CONFIG_SECURITY_APPARMOR=y
6407
+CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
6408
+CONFIG_SECURITY_APPARMOR_HASH=y
6409
+CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
6410
+# CONFIG_SECURITY_LOADPIN is not set
6411
+CONFIG_INTEGRITY=y
6412
+# CONFIG_INTEGRITY_SIGNATURE is not set
6413
+CONFIG_INTEGRITY_AUDIT=y
6414
+# CONFIG_IMA is not set
6415
+# CONFIG_EVM is not set
6416
+# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
6393 6417
 CONFIG_DEFAULT_SECURITY_DAC=y
6394 6418
 CONFIG_DEFAULT_SECURITY=""
6395 6419
 CONFIG_XOR_BLOCKS=y
@@ -6621,6 +6645,7 @@ CONFIG_CRC32_SLICEBY8=y
6621 6645
 CONFIG_CRC7=m
6622 6646
 CONFIG_LIBCRC32C=m
6623 6647
 CONFIG_CRC8=m
6648
+CONFIG_AUDIT_GENERIC=y
6624 6649
 # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
6625 6650
 # CONFIG_RANDOM32_SELFTEST is not set
6626 6651
 CONFIG_842_COMPRESS=y