From 1bc5a0b03a11e649e739a32ff9bc1449053d9773 Mon Sep 17 00:00:00 2001
From: Denys Dmytriyenko <denys@konsulko.com>
Date: Wed, 14 Dec 2022 22:05:29 +0000
Subject: linux: config: add systemd sandboxing fragment

Add a kernel config fragment that enables additional features needed for
systemd sandboxing support, using Classic BPF (Berkeley Packet Filter)
kernel framework. Eventually this will be extended with more advanced
features using eBPF (extended BPF), BTF (BPF Type Format) and LSM (Lunux
Security Module) frameworks.

Bug-AGL: SPEC-4627
Change-Id: I9ed21c654b2e0298be66073750dab6920e49b0c9
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28297
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
---
 meta-agl-core/recipes-kernel/linux/linux-agl-config.inc      | 1 +
 meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg | 9 +++++++++
 2 files changed, 10 insertions(+)
 create mode 100644 meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg

(limited to 'meta-agl-core')

diff --git a/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc b/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc
index 2a86931a8..e42ae823d 100644
--- a/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc
+++ b/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc
@@ -42,6 +42,7 @@ AGL_KCONFIG_FRAGMENTS += " \
     audit.cfg \
     ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux.cfg', '', d)} \
     ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-required.cfg', '', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-sandbox.cfg', '', d)} \
 "
 
 AGL_KCONFIG_FRAGMENTS += " ${@bb.utils.contains('AGL_XEN_GUEST_WANTED','1','xen_domu.cfg','',d)}"
diff --git a/meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg b/meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg
new file mode 100644
index 000000000..d451d554c
--- /dev/null
+++ b/meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg
@@ -0,0 +1,9 @@
+CONFIG_BPF=y
+CONFIG_BPF_SYSCALL=y
+CONFIG_NET_CLS_BPF=m
+CONFIG_NET_ACT_BPF=m
+CONFIG_BPF_JIT=y
+CONFIG_HAVE_EBPF_JIT=y
+CONFIG_BPF_EVENTS=y
+CONFIG_BPF_LSM=y
+CONFIG_CGROUP_BPF=y
-- 
cgit 1.2.3-korg