summaryrefslogtreecommitdiffstats
path: root/templates
diff options
context:
space:
mode:
authorDenys Dmytriyenko <denys@konsulko.com>2022-12-14 21:23:20 +0000
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2022-12-16 12:12:59 +0000
commitb3de7ee33730a74948d435dbbe7eb6c8af95b7e2 (patch)
tree1a31dbf3e0f487785763289d10ee3e36a5e10672 /templates
parent38a021b530142f0c549e89bd18c908f83c80e097 (diff)
linux: config: move CONFIG_AUDIT* into own fragment
Enabling CONFIG_AUDIT* is needed by auditd and should be safe whether systemd is used or not and is not specific to SELinux. Note that systemd README has this old caveat mentioned | Note that kernel auditing is broken when used with systemd's | container code. When using systemd in conjunction with | containers, please make sure to either turn off auditing at | runtime using the kernel command line option "audit=0", or | turn it off at kernel compile time using: | CONFIG_AUDIT=n | If systemd is compiled with libseccomp support on | architectures which do not use socketcall() and where seccomp | is supported (this effectively means x86-64 and ARM, but | excludes 32-bit x86!), then nspawn will now install a | work-around seccomp filter that makes containers boot even | with audit being enabled. This works correctly only on kernels | 3.14 and newer though. TL;DR: turn audit off, still. But that seems to only apply to nspawn usage in some specific cases and on older kernels, plus there are even runtime workarounds available when needed, so let's enable it by default. Bug-AGL: SPEC-4627 Change-Id: I5fcd58ba41929d2966fadea27b6751e4fa6589c9 Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28276 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Diffstat (limited to 'templates')
0 files changed, 0 insertions, 0 deletions