From 2ea9cbefb8e0923f2f58e7e8022f3e134977a87a Mon Sep 17 00:00:00 2001 From: Scott Murray Date: Mon, 25 Jul 2022 14:23:13 -0400 Subject: Add SELinux feature Add agl-selinux feature to enable SELinux support. Notes: - SELinux is in permissive mode by default for now, and using the targeted policy by default. - The linux-yocto specific bbappend in meta-selinux is masked out in favor of adding a more universal kernel configuration fragment with AGL's own scheme. - SELinux specific recipes and bbappends are added via a meta-selinux dynamic-layers addition in meta-agl-core to keep using meta-selinux optional. This will avoid issues with the Yocto autobuilder testing of meta-agl-core. - To avoid the effectively hard-coded autorelabel on first boot, a bbappend is added to the selinux-autorelabel recipe to remove the flag creation. In the off chance that a build happens on a filesystem without xattr support, the logic in the selinux-image bbclass will still touch the /.autorelabel flag and trigger relabeling. - A systemd unit and script are added with a new systemd-selinux-relabel recipe to handle relabeling of some systemd generated files that do not get handled during root filesystem construction. Some of these can be addressed by some upstream tweaks, but /etc/machine-id will always need special handling unless there is a shift to using read-only or stateless root by default. With this workaround we still avoid doing a full relabel and reboot on first boot, which helps simplify CI. Bug-AGL: SPEC-4332 Signed-off-by: Scott Murray Change-Id: Ibf469e11eb3a67709074cc6794b3d12cd5071a90 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27790 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller --- .../recipes-kernel/linux/linux-agl-config.inc | 1 + meta-agl-core/recipes-kernel/linux/linux/selinux.cfg | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 meta-agl-core/recipes-kernel/linux/linux/selinux.cfg (limited to 'meta-agl-core/recipes-kernel/linux') diff --git a/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc b/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc index 81cf0189d..b3ac7373e 100644 --- a/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc +++ b/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc @@ -39,6 +39,7 @@ AGL_KCONFIG_FRAGMENTS += " \ can-bus.cfg \ fanotify.cfg \ overlayfs.cfg \ + ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux.cfg', '', d)} \ " AGL_KCONFIG_FRAGMENTS += " ${@bb.utils.contains('AGL_XEN_GUEST_WANTED','1','xen_domu.cfg','',d)}" diff --git a/meta-agl-core/recipes-kernel/linux/linux/selinux.cfg b/meta-agl-core/recipes-kernel/linux/linux/selinux.cfg new file mode 100644 index 000000000..86330f110 --- /dev/null +++ b/meta-agl-core/recipes-kernel/linux/linux/selinux.cfg @@ -0,0 +1,18 @@ +CONFIG_AUDIT=y +CONFIG_AUDIT_GENERIC=y +CONFIG_NETWORK_SECMARK=y +CONFIG_EXT2_FS_SECURITY=y +CONFIG_EXT3_FS_SECURITY=y +CONFIG_EXT4_FS_SECURITY=y +CONFIG_JFS_SECURITY=y +CONFIG_REISERFS_FS_SECURITY=y +CONFIG_JFFS2_FS_SECURITY=y +CONFIG_SECURITY=y +CONFIG_SECURITYFS=y +CONFIG_SECURITY_NETWORK=y +CONFIG_SECURITY_SELINUX=y +CONFIG_SECURITY_SELINUX_BOOTPARAM=y +CONFIG_SECURITY_SELINUX_DISABLE=y +CONFIG_SECURITY_SELINUX_DEVELOP=y +CONFIG_SECURITY_SELINUX_AVC_STATS=y +CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 -- cgit 1.2.3-korg