linux: config: add systemd sandboxing fragment

Add a kernel config fragment that enables additional features needed for
systemd sandboxing support, using Classic BPF (Berkeley Packet Filter)
kernel framework. Eventually this will be extended with more advanced
features using eBPF (extended BPF), BTF (BPF Type Format) and LSM (Lunux
Security Module) frameworks.

Bug-AGL: SPEC-4627
Change-Id: I9ed21c654b2e0298be66073750dab6920e49b0c9
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28297
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>

2 files changed, 10 insertions, 0 deletions

diff --git a/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc b/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc
index 2a86931a8..e42ae823d 100644
--- a/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc
+++ b/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc
@@ -42,6 +42,7 @@ AGL_KCONFIG_FRAGMENTS += " \
     audit.cfg \
     ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux.cfg', '', d)} \
     ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-required.cfg', '', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-sandbox.cfg', '', d)} \
 "
 
 AGL_KCONFIG_FRAGMENTS += " ${@bb.utils.contains('AGL_XEN_GUEST_WANTED','1','xen_domu.cfg','',d)}"
diff --git a/meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg b/meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg
new file mode 100644
index 000000000..d451d554c
--- /dev/null
+++ b/meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg
@@ -0,0 +1,9 @@
+CONFIG_BPF=y
+CONFIG_BPF_SYSCALL=y
+CONFIG_NET_CLS_BPF=m
+CONFIG_NET_ACT_BPF=m
+CONFIG_BPF_JIT=y
+CONFIG_HAVE_EBPF_JIT=y
+CONFIG_BPF_EVENTS=y
+CONFIG_BPF_LSM=y
+CONFIG_CGROUP_BPF=y