Age | Commit message (Collapse) | Author | Files | Lines |
|
Add a kernel config fragment that enables additional features needed for
systemd sandboxing support, using Classic BPF (Berkeley Packet Filter)
kernel framework. Eventually this will be extended with more advanced
features using eBPF (extended BPF), BTF (BPF Type Format) and LSM (Lunux
Security Module) frameworks.
Bug-AGL: SPEC-4627
Change-Id: I9ed21c654b2e0298be66073750dab6920e49b0c9
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28297
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
|
|
Enabling CONFIG_AUDIT* is needed by auditd and should be safe whether systemd
is used or not and is not specific to SELinux.
Note that systemd README has this old caveat mentioned
| Note that kernel auditing is broken when used with systemd's
| container code. When using systemd in conjunction with
| containers, please make sure to either turn off auditing at
| runtime using the kernel command line option "audit=0", or
| turn it off at kernel compile time using:
| CONFIG_AUDIT=n
| If systemd is compiled with libseccomp support on
| architectures which do not use socketcall() and where seccomp
| is supported (this effectively means x86-64 and ARM, but
| excludes 32-bit x86!), then nspawn will now install a
| work-around seccomp filter that makes containers boot even
| with audit being enabled. This works correctly only on kernels
| 3.14 and newer though. TL;DR: turn audit off, still.
But that seems to only apply to nspawn usage in some specific cases and on
older kernels, plus there are even runtime workarounds available when needed,
so let's enable it by default.
Bug-AGL: SPEC-4627
Change-Id: I5fcd58ba41929d2966fadea27b6751e4fa6589c9
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28276
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
|
|
Add kernel config fragment with all settings required by systemd.
Some more generic settings need to be explicitly set here as well to satisfy
necessary dependencies from systemd settings down the tree, otherwise some
BSPs would break.
Bug-AGL: SPEC-4627
Change-Id: I7a2796ea65da58a4f1fa0556cd94df67e7df7db9
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28275
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
|
|
Changes:
- Appending the virtio kernel metadata to SRC_URI in the linux-yocto
bbappend was having the side-effect of overriding a lot of the
changes from the other AGL configuration fragments. To avoid this,
prepend the addition to AGL_KCONFIG_FRAGMENTS instead.
- Add the HDA sound driver config fragment for virtio machines to
allow using the QEMU emulation.
- Add config fragment for the virtio kernel to ensure that
CONFIG_DRM and the fbdev emulation are on.
- Add config fragment for the virtio kernel to turn on CONFIG_PCI,
as there are some peripherals that we may need to expose to guests
with it. This and the DRM changes will be rationalized in the
metadata repo once it's clear we do need them.
Bug-AGL: SPEC-4618
Change-Id: I453b84d9840498772afd01404dd374f5c1d245da
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28191
ci-image-build: Jenkins Job builder account
Tested-by: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
|
|
Commit d009fa0c42042a0b7d069779852953621e46469b as part of SPEC-4156 added a
kernel config fragment to disable CONFIG_RELAY. Since this fragment is only
applied to BBE, there's no need for it to reside in meta-agl-core and can be
moved to meta-agl-bsp/meta-sancloud.
Bug-AGL: SPEC-4156
Change-Id: I5da2632d6eb00bbf99ddb48cef861564d2ce868d
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28203
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
|
|
Commit dd6fc5dcaa0a027b7651bb365d5dd0f623498f8f as part of SPEC-4052 converted
all overrides to the new syntax, but missed the one used for "virtualmachine"
Bug-AGL: SPEC-4052
Change-Id: I1905c7e3b70b05c4ef06d8b4f240d0e144587fab
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28204
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
|
|
Add agl-selinux feature to enable SELinux support.
Notes:
- SELinux is in permissive mode by default for now, and using the
targeted policy by default.
- The linux-yocto specific bbappend in meta-selinux is masked out in
favor of adding a more universal kernel configuration fragment with
AGL's own scheme.
- SELinux specific recipes and bbappends are added via a meta-selinux
dynamic-layers addition in meta-agl-core to keep using meta-selinux
optional. This will avoid issues with the Yocto autobuilder testing
of meta-agl-core.
- To avoid the effectively hard-coded autorelabel on first boot, a
bbappend is added to the selinux-autorelabel recipe to remove the
flag creation. In the off chance that a build happens on a filesystem
without xattr support, the logic in the selinux-image bbclass will
still touch the /.autorelabel flag and trigger relabeling.
- A systemd unit and script are added with a new systemd-selinux-relabel
recipe to handle relabeling of some systemd generated files that do
not get handled during root filesystem construction. Some of these
can be addressed by some upstream tweaks, but /etc/machine-id will
always need special handling unless there is a shift to using
read-only or stateless root by default. With this workaround we still
avoid doing a full relabel and reboot on first boot, which helps
simplify CI.
Bug-AGL: SPEC-4332
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Change-Id: Ibf469e11eb3a67709074cc6794b3d12cd5071a90
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27790
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
|
|
The config option does provoke an Internal error at runtime.
Disable it for the BBE.
Bug-AGL: SPEC-4156
Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Change-Id: I9c6c8a1279a3c4f40c383e036251f51bb4e9fc8e
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27240
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
|
|
This is mostly the result of running a slightly customized version
of the convert-overrides.py script from poky with additional
overrides added. A few minor fixups were done by hand afterwards
during a review of the changes.
The intent of these changes is to minimize the effort to keep the
"next" branch that builds against poky master up to date and tested
in preparation for the switch to the next Yocto LTS release in
early 2022.
Bug-AGL: SPEC-4052
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Change-Id: Ia3bf63b7cb1aa1d95ada373d1a3ab56def0a125d
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/26564
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
|
|
Refactor the kernel configuration fragment handling to shift all AGL
applied configuration fragments into a new AGL_KCONFIG_FRAGMENTS
variable that is used to generate SRC_URI and KERNEL_CONFIG_FRAGMENTS
additions for the various BSPs. The intent is to make it simple to
disable AGL provided configuration in downstream builds as the IC EG
has expressed as a requirement. Additionally, the rework has allowed
for some clean up of accumulated cruft.
In practice, clearing AGL_KCONFIG_FRAGMENTS drops all non-BSP provided
kernel configuration with the exception of some qemu BSP related
additions required for AGL CI and some explicitly configurable things
like netboot support.
Notable changes:
- Instead of always using AGL's own fragment merging logic on top of
the BSP kernel recipe, an effort is now made to leverage the BSP
recipes' own merging schemes, so there are now separate include
files for kernel-yocto.bbclass and plain kernel.bbclass based kernel
recipes, as well as a common include file that defines the
AGL_KCONFIG_FRAGMENTS variable and its derivations. That file can
be included directly in bbappends for BSP kernel recipes that use
the KERNEL_CONFIG_FRAGMENTS scheme (e.g. meta-ti, meta-qcom).
- The SMACK enabling configuration in meta-app-framework has been
updated to supply different fragments for enabling SMACK by default
for 4.x and 5.x kernels. This removes a warning from always
supplying the old configuration, and allows providing a CONFIG_LSM
definition to ensure over-riding any BSP modifications.
This allows removing the previous hack to handle CONFIG_LSM being
set in the defconfigs in linux-raspberrypi.
- By request, the linux-yocto support from meta-agl-bsp/meta-core has
been rationalized into meta-agl-core to improve the experience when
using meta-agl-core standalone for testing.
- All demo supporting kernel configuration has been removed, a
subsequent change to meta-agl-demo will add it there by leveraging
AGL_KCONFIG_FRAGMENTS.
- The hardware device support has been split out of the can-bus.cfg
fragment, in favor of shifting it to meta-agl-demo. A few other
stray non-CAN configuration options have also been removed from
can-bus.cfg, as they do not seem to be required.
Bug-AGL: SPEC-3983
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Change-Id: If6662fd36e26cec767b1d53b1188a74d01ef9dcf
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/26460
Reviewed-by: Hiroyuki Ishii <ishii.hiroyuki002@jp.panasonic.com>
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
|