summaryrefslogtreecommitdiffstats
path: root/meta-agl-core/recipes-kernel/linux
diff options
context:
space:
mode:
Diffstat (limited to 'meta-agl-core/recipes-kernel/linux')
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch40
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch109
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc8
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux-agl-config.inc11
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux/audit.cfg2
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux/lttng.cfg1
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux/selinux.cfg14
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux/systemd-required.cfg42
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg9
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux/vbox-vmware-sata.cfg1
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux/x86-extra-graphic-devices.cfg5
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux/x86-usb-devices.cfg1
12 files changed, 79 insertions, 164 deletions
diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch
deleted file mode 100644
index c595dfdf5..000000000
--- a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 63f5acdf097b7baca8d0f7056a037f8811b48aaa Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Tue, 27 Feb 2018 17:06:21 +0100
-Subject: [PATCH] Smack: Handle CGROUP2 in the same way that CGROUP
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The new file system CGROUP2 isn't actually handled
-by smack. This changes makes Smack treat equally
-CGROUP and CGROUP2 items.
-
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- security/smack/smack_lsm.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
-index 03fdecba93bb..5d77ed04422c 100644
---- a/security/smack/smack_lsm.c
-+++ b/security/smack/smack_lsm.c
-@@ -3431,6 +3431,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
- if (opt_dentry->d_parent == opt_dentry) {
- switch (sbp->s_magic) {
- case CGROUP_SUPER_MAGIC:
-+ case CGROUP2_SUPER_MAGIC:
- /*
- * The cgroup filesystem is never mounted,
- * so there's no opportunity to set the mount
-@@ -3474,6 +3475,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
- switch (sbp->s_magic) {
- case SMACK_MAGIC:
- case CGROUP_SUPER_MAGIC:
-+ case CGROUP2_SUPER_MAGIC:
- /*
- * Casey says that it's a little embarrassing
- * that the smack file system doesn't do
---
-2.14.3
-
diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch
deleted file mode 100644
index 4100bb8fd..000000000
--- a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-Smack: Privilege check on key operations
-
-Operations on key objects are subjected to Smack policy
-even if the process is privileged. This is inconsistent
-with the general behavior of Smack and may cause issues
-with authentication by privileged daemons. This patch
-allows processes with CAP_MAC_OVERRIDE to access keys
-even if the Smack rules indicate otherwise.
-
-Reported-by: Jose Bollo <jobol@nonadev.net>
-Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
----
- security/smack/smack.h | 1 +
- security/smack/smack_access.c | 40 +++++++++++++++++++++++++++++-----------
- security/smack/smack_lsm.c | 4 ++++
- 3 files changed, 34 insertions(+), 11 deletions(-)
-
-diff --git a/security/smack/smack.h b/security/smack/smack.h
-index 6a71fc7..f7db791 100644
---- a/security/smack/smack.h
-+++ b/security/smack/smack.h
-@@ -321,6 +321,7 @@ struct smack_known *smk_import_entry(const char *, int);
- void smk_insert_entry(struct smack_known *skp);
- struct smack_known *smk_find_entry(const char *);
- bool smack_privileged(int cap);
-+bool smack_privileged_cred(int cap, const struct cred *cred);
- void smk_destroy_label_list(struct list_head *list);
-
- /*
-diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
-index 1a30041..141ffac 100644
---- a/security/smack/smack_access.c
-+++ b/security/smack/smack_access.c
-@@ -623,26 +623,24 @@ struct smack_known *smack_from_secid(const u32 secid)
- LIST_HEAD(smack_onlycap_list);
- DEFINE_MUTEX(smack_onlycap_lock);
-
--/*
-+/**
-+ * smack_privileged_cred - are all privilege requirements met by cred
-+ * @cap: The requested capability
-+ * @cred: the credential to use
-+ *
- * Is the task privileged and allowed to be privileged
- * by the onlycap rule.
- *
- * Returns true if the task is allowed to be privileged, false if it's not.
- */
--bool smack_privileged(int cap)
-+bool smack_privileged_cred(int cap, const struct cred *cred)
- {
-- struct smack_known *skp = smk_of_current();
-+ struct task_smack *tsp = cred->security;
-+ struct smack_known *skp = tsp->smk_task;
- struct smack_known_list_elem *sklep;
- int rc;
-
-- /*
-- * All kernel tasks are privileged
-- */
-- if (unlikely(current->flags & PF_KTHREAD))
-- return true;
--
-- rc = cap_capable(current_cred(), &init_user_ns, cap,
-- SECURITY_CAP_AUDIT);
-+ rc = cap_capable(cred, &init_user_ns, cap, SECURITY_CAP_AUDIT);
- if (rc)
- return false;
-
-@@ -662,3 +660,23 @@ bool smack_privileged(int cap)
-
- return false;
- }
-+
-+/**
-+ * smack_privileged - are all privilege requirements met
-+ * @cap: The requested capability
-+ *
-+ * Is the task privileged and allowed to be privileged
-+ * by the onlycap rule.
-+ *
-+ * Returns true if the task is allowed to be privileged, false if it's not.
-+ */
-+bool smack_privileged(int cap)
-+{
-+ /*
-+ * All kernel tasks are privileged
-+ */
-+ if (unlikely(current->flags & PF_KTHREAD))
-+ return true;
-+
-+ return smack_privileged_cred(cap, current_cred());
-+}
-diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
-index 30f2c3d..03fdecb 100644
---- a/security/smack/smack_lsm.c
-+++ b/security/smack/smack_lsm.c
-@@ -4369,6 +4369,10 @@ static int smack_key_permission(key_ref_t key_ref,
- */
- if (tkp == NULL)
- return -EACCES;
-+
-+ if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred))
-+ return 0;
-+
- #ifdef CONFIG_AUDIT
- smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);
- ad.a.u.key_struct.key = keyp->serial;
-
diff --git a/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc b/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc
index 8476f343b..9ab3d34af 100644
--- a/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc
+++ b/meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc
@@ -1,13 +1,5 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/linux-4.14:"
-#-------------------------------------------------------------------------
-# smack patches for kernels keys
-
-SRC_URI:append:with-lsm-smack = "\
- file://Smack-Privilege-check-on-key-operations.patch \
- file://Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch \
- "
-
SRC_URI:append = "\
file://net-sch_generic-add-if_afp.h-header-to-get-ARPHRD_CA.patch \
file://net-sch_generic-Use-pfifo_fast-as-fallback-scheduler.patch \
diff --git a/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc b/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc
index a5e9c375a..4799a6180 100644
--- a/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc
+++ b/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc
@@ -39,6 +39,11 @@ AGL_KCONFIG_FRAGMENTS += " \
can-bus.cfg \
fanotify.cfg \
overlayfs.cfg \
+ audit.cfg \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux.cfg', '', d)} \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-required.cfg', '', d)} \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-sandbox.cfg', '', d)} \
+ lttng.cfg \
"
AGL_KCONFIG_FRAGMENTS += " ${@bb.utils.contains('AGL_XEN_GUEST_WANTED','1','xen_domu.cfg','',d)}"
@@ -66,6 +71,10 @@ AGL_KCONFIG_FRAGMENTS:append:qemuall = " \
qemu-drm.cfg \
"
+AGL_KCONFIG_FRAGMENTS:append:virtio-all = " \
+ sound-hda.cfg \
+"
+
# Configuration for using the ARM virt machine (and not versatilepb)
AGL_KCONFIG_FRAGMENTS:append:qemuarm = " qemuarm.cfg"
@@ -73,7 +82,7 @@ AGL_KCONFIG_FRAGMENTS:append:qemuarm = " qemuarm.cfg"
# OVERRIDES save us some c'n'p below ...
OVERRIDES:prepend:qemux86 = "virtualmachine:"
OVERRIDES:prepend:qemux86-64 = "virtualmachine:"
-AGL_KCONFIG_FRAGMENTS:append_virtualmachine = " vbox-vmware-sata.cfg"
+AGL_KCONFIG_FRAGMENTS:append:virtualmachine = " vbox-vmware-sata.cfg"
# Extra configuration for using qemux86-64 image on physical hardware
AGL_KCONFIG_FRAGMENTS:append:qemux86-64 = " \
diff --git a/meta-agl-core/recipes-kernel/linux/linux/audit.cfg b/meta-agl-core/recipes-kernel/linux/linux/audit.cfg
new file mode 100644
index 000000000..7decc799c
--- /dev/null
+++ b/meta-agl-core/recipes-kernel/linux/linux/audit.cfg
@@ -0,0 +1,2 @@
+CONFIG_AUDIT=y
+CONFIG_AUDIT_GENERIC=y
diff --git a/meta-agl-core/recipes-kernel/linux/linux/lttng.cfg b/meta-agl-core/recipes-kernel/linux/linux/lttng.cfg
new file mode 100644
index 000000000..e5f6b9c69
--- /dev/null
+++ b/meta-agl-core/recipes-kernel/linux/linux/lttng.cfg
@@ -0,0 +1 @@
+CONFIG_KALLSYMS_ALL=y
diff --git a/meta-agl-core/recipes-kernel/linux/linux/selinux.cfg b/meta-agl-core/recipes-kernel/linux/linux/selinux.cfg
new file mode 100644
index 000000000..d49283158
--- /dev/null
+++ b/meta-agl-core/recipes-kernel/linux/linux/selinux.cfg
@@ -0,0 +1,14 @@
+CONFIG_NETWORK_SECMARK=y
+CONFIG_EXT2_FS_SECURITY=y
+CONFIG_EXT3_FS_SECURITY=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_JFS_SECURITY=y
+CONFIG_REISERFS_FS_SECURITY=y
+CONFIG_JFFS2_FS_SECURITY=y
+CONFIG_SECURITY=y
+CONFIG_SECURITYFS=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_SELINUX=y
+CONFIG_SECURITY_SELINUX_BOOTPARAM=y
+CONFIG_SECURITY_SELINUX_DEVELOP=y
+CONFIG_SECURITY_SELINUX_AVC_STATS=y
diff --git a/meta-agl-core/recipes-kernel/linux/linux/systemd-required.cfg b/meta-agl-core/recipes-kernel/linux/linux/systemd-required.cfg
new file mode 100644
index 000000000..3424c80b9
--- /dev/null
+++ b/meta-agl-core/recipes-kernel/linux/linux/systemd-required.cfg
@@ -0,0 +1,42 @@
+CONFIG_TMPFS=y
+CONFIG_TMPFS_XATTR=y
+CONFIG_TMPFS_POSIX_ACL=y
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_AUTOFS_FS=y
+CONFIG_EXT4_FS_POSIX_ACL=y
+CONFIG_BLK_DEV_BSG=y
+CONFIG_BLK_CGROUP=y
+CONFIG_CGROUPS=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CGROUP_PERF=y
+CONFIG_CGROUP_PIDS=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_RT_GROUP_SCHED=n
+CONFIG_SCHED_DEBUG=y
+CONFIG_SCHEDSTATS=y
+CONFIG_FAIR_GROUP_SCHED=y
+CONFIG_INOTIFY_USER=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EPOLL=y
+CONFIG_NET=y
+CONFIG_UNIX=y
+CONFIG_PROC_FS=y
+CONFIG_SYSFS=y
+CONFIG_FHANDLE=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_UEVENT_HELPER_PATH=""
+CONFIG_FW_LOADER_USER_HELPER=n
+CONFIG_DMIID=y
+CONFIG_NAMESPACES=y
+CONFIG_NET_NS=y
+CONFIG_USER_NS=y
+CONFIG_SECCOMP=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_CHECKPOINT_RESTORE=y
+CONFIG_CFS_BANDWIDTH=y
diff --git a/meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg b/meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg
new file mode 100644
index 000000000..d451d554c
--- /dev/null
+++ b/meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg
@@ -0,0 +1,9 @@
+CONFIG_BPF=y
+CONFIG_BPF_SYSCALL=y
+CONFIG_NET_CLS_BPF=m
+CONFIG_NET_ACT_BPF=m
+CONFIG_BPF_JIT=y
+CONFIG_HAVE_EBPF_JIT=y
+CONFIG_BPF_EVENTS=y
+CONFIG_BPF_LSM=y
+CONFIG_CGROUP_BPF=y
diff --git a/meta-agl-core/recipes-kernel/linux/linux/vbox-vmware-sata.cfg b/meta-agl-core/recipes-kernel/linux/linux/vbox-vmware-sata.cfg
index ce1eca1a7..a37f07d1f 100644
--- a/meta-agl-core/recipes-kernel/linux/linux/vbox-vmware-sata.cfg
+++ b/meta-agl-core/recipes-kernel/linux/linux/vbox-vmware-sata.cfg
@@ -12,7 +12,6 @@ CONFIG_BLK_DEV_SD=y
CONFIG_FUSION=y
CONFIG_FUSION_SPI=y
CONFIG_DRM_VMWGFX=y
-CONFIG_DRM_VMWGFX_FBCON=y
CONFIG_VMWARE_BALLOON=m
CONFIG_VMWARE_VMCI=m
CONFIG_VMWARE_VMCI_VSOCKETS=m
diff --git a/meta-agl-core/recipes-kernel/linux/linux/x86-extra-graphic-devices.cfg b/meta-agl-core/recipes-kernel/linux/linux/x86-extra-graphic-devices.cfg
index d2b64de67..9c8e240e9 100644
--- a/meta-agl-core/recipes-kernel/linux/linux/x86-extra-graphic-devices.cfg
+++ b/meta-agl-core/recipes-kernel/linux/linux/x86-extra-graphic-devices.cfg
@@ -11,11 +11,8 @@ CONFIG_NOUVEAU_DEBUG=5
CONFIG_NOUVEAU_DEBUG_DEFAULT=3
CONFIG_DRM_NOUVEAU_BACKLIGHT=y
CONFIG_DRM_VGEM=m
-CONFIG_DRM_VMWGFX=m
-CONFIG_DRM_VMWGFX_FBCON=y
+CONFIG_DRM_VMWGFX=y
CONFIG_DRM_GMA500=m
-CONFIG_DRM_GMA600=y
-CONFIG_DRM_GMA3600=y
CONFIG_DRM_UDL=m
CONFIG_FB_DEFERRED_IO=y
CONFIG_FB_BACKLIGHT=y
diff --git a/meta-agl-core/recipes-kernel/linux/linux/x86-usb-devices.cfg b/meta-agl-core/recipes-kernel/linux/linux/x86-usb-devices.cfg
index 19c57796e..d74d4afd8 100644
--- a/meta-agl-core/recipes-kernel/linux/linux/x86-usb-devices.cfg
+++ b/meta-agl-core/recipes-kernel/linux/linux/x86-usb-devices.cfg
@@ -75,7 +75,6 @@ CONFIG_WL18XX=m
CONFIG_WLCORE=m
CONFIG_WLCORE_SPI=m
CONFIG_WLCORE_SDIO=m
-CONFIG_WILINK_PLATFORM_DATA=y
CONFIG_ZD1211RW=m
CONFIG_ZD1211RW_DEBUG=y
CONFIG_MWIFIEX=m