aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDenys Dmytriyenko <denys@konsulko.com>2022-12-14 21:23:20 +0000
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2022-12-16 12:12:59 +0000
commitb3de7ee33730a74948d435dbbe7eb6c8af95b7e2 (patch)
tree1a31dbf3e0f487785763289d10ee3e36a5e10672
parent38a021b530142f0c549e89bd18c908f83c80e097 (diff)
linux: config: move CONFIG_AUDIT* into own fragment
Enabling CONFIG_AUDIT* is needed by auditd and should be safe whether systemd is used or not and is not specific to SELinux. Note that systemd README has this old caveat mentioned | Note that kernel auditing is broken when used with systemd's | container code. When using systemd in conjunction with | containers, please make sure to either turn off auditing at | runtime using the kernel command line option "audit=0", or | turn it off at kernel compile time using: | CONFIG_AUDIT=n | If systemd is compiled with libseccomp support on | architectures which do not use socketcall() and where seccomp | is supported (this effectively means x86-64 and ARM, but | excludes 32-bit x86!), then nspawn will now install a | work-around seccomp filter that makes containers boot even | with audit being enabled. This works correctly only on kernels | 3.14 and newer though. TL;DR: turn audit off, still. But that seems to only apply to nspawn usage in some specific cases and on older kernels, plus there are even runtime workarounds available when needed, so let's enable it by default. Bug-AGL: SPEC-4627 Change-Id: I5fcd58ba41929d2966fadea27b6751e4fa6589c9 Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28276 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux-agl-config.inc1
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux/audit.cfg2
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux/selinux.cfg2
3 files changed, 3 insertions, 2 deletions
diff --git a/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc b/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc
index b8fc8bd6f..2a86931a8 100644
--- a/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc
+++ b/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc
@@ -39,6 +39,7 @@ AGL_KCONFIG_FRAGMENTS += " \
can-bus.cfg \
fanotify.cfg \
overlayfs.cfg \
+ audit.cfg \
${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux.cfg', '', d)} \
${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-required.cfg', '', d)} \
"
diff --git a/meta-agl-core/recipes-kernel/linux/linux/audit.cfg b/meta-agl-core/recipes-kernel/linux/linux/audit.cfg
new file mode 100644
index 000000000..7decc799c
--- /dev/null
+++ b/meta-agl-core/recipes-kernel/linux/linux/audit.cfg
@@ -0,0 +1,2 @@
+CONFIG_AUDIT=y
+CONFIG_AUDIT_GENERIC=y
diff --git a/meta-agl-core/recipes-kernel/linux/linux/selinux.cfg b/meta-agl-core/recipes-kernel/linux/linux/selinux.cfg
index 86330f110..5998111e3 100644
--- a/meta-agl-core/recipes-kernel/linux/linux/selinux.cfg
+++ b/meta-agl-core/recipes-kernel/linux/linux/selinux.cfg
@@ -1,5 +1,3 @@
-CONFIG_AUDIT=y
-CONFIG_AUDIT_GENERIC=y
CONFIG_NETWORK_SECMARK=y
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS_SECURITY=y