diff --git a/config-libkrunfw-sev_x86_64 b/config-libkrunfw-sev_x86_64 index d7c58c5..0b2786e 100644 --- a/config-libkrunfw-sev_x86_64 +++ b/config-libkrunfw-sev_x86_64 @@ -1652,14 +1652,14 @@ CONFIG_FS_IOMAP=y CONFIG_EXT4_FS=y CONFIG_EXT4_USE_FOR_EXT2=y # CONFIG_EXT4_FS_POSIX_ACL is not set -# CONFIG_EXT4_FS_SECURITY is not set +CONFIG_EXT4_FS_SECURITY=y # CONFIG_EXT4_DEBUG is not set CONFIG_JBD2=y # CONFIG_JBD2_DEBUG is not set CONFIG_FS_MBCACHE=y # CONFIG_REISERFS_FS is not set # CONFIG_JFS_FS is not set -# CONFIG_XFS_FS is not set +CONFIG_XFS_FS=y # CONFIG_GFS2_FS is not set # CONFIG_BTRFS_FS is not set # CONFIG_NILFS2_FS is not set @@ -1698,7 +1698,7 @@ CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y # DOS/FAT/EXFAT/NT Filesystems # # CONFIG_MSDOS_FS is not set -# CONFIG_VFAT_FS is not set +CONFIG_VFAT_FS=y # CONFIG_EXFAT_FS is not set # CONFIG_NTFS_FS is not set # CONFIG_NTFS3_FS is not set @@ -1733,7 +1733,7 @@ CONFIG_ARCH_HAS_GIGANTIC_PAGE=y # CONFIG_NETWORK_FILESYSTEMS is not set CONFIG_NLS=y CONFIG_NLS_DEFAULT="utf8" -# CONFIG_NLS_CODEPAGE_437 is not set +CONFIG_NLS_CODEPAGE_437=y # CONFIG_NLS_CODEPAGE_737 is not set # CONFIG_NLS_CODEPAGE_775 is not set # CONFIG_NLS_CODEPAGE_850 is not set @@ -1757,7 +1757,7 @@ CONFIG_NLS_DEFAULT="utf8" # CONFIG_NLS_CODEPAGE_1250 is not set # CONFIG_NLS_CODEPAGE_1251 is not set # CONFIG_NLS_ASCII is not set -# CONFIG_NLS_ISO8859_1 is not set +CONFIG_NLS_ISO8859_1=y # CONFIG_NLS_ISO8859_2 is not set # CONFIG_NLS_ISO8859_3 is not set # CONFIG_NLS_ISO8859_4 is not set @@ -1806,7 +1806,7 @@ CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y # CONFIG_HARDENED_USERCOPY is not set CONFIG_FORTIFY_SOURCE=y # CONFIG_STATIC_USERMODEHELPER is not set -# CONFIG_SECURITY_SELINUX is not set +CONFIG_SECURITY_SELINUX=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set @@ -1817,7 +1817,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_LANDLOCK is not set # CONFIG_INTEGRITY is not set CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" +CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,bpf" # # Kernel hardening options diff --git a/config-libkrunfw_aarch64 b/config-libkrunfw_aarch64 index 1d5fb2b..a2eea6e 100644 --- a/config-libkrunfw_aarch64 +++ b/config-libkrunfw_aarch64 @@ -2507,7 +2507,7 @@ CONFIG_JBD2=y CONFIG_FS_MBCACHE=y # CONFIG_REISERFS_FS is not set # CONFIG_JFS_FS is not set -# CONFIG_XFS_FS is not set +CONFIG_XFS_FS=y # CONFIG_GFS2_FS is not set # CONFIG_OCFS2_FS is not set # CONFIG_BTRFS_FS is not set @@ -2564,7 +2564,7 @@ CONFIG_CACHEFILES=y # DOS/FAT/EXFAT/NT Filesystems # # CONFIG_MSDOS_FS is not set -# CONFIG_VFAT_FS is not set +CONFIG_VFAT_FS=y # CONFIG_EXFAT_FS is not set # CONFIG_NTFS_FS is not set # CONFIG_NTFS3_FS is not set @@ -2594,7 +2594,9 @@ CONFIG_CONFIGFS_FS=y # CONFIG_MISC_FILESYSTEMS is not set # CONFIG_NETWORK_FILESYSTEMS is not set -# CONFIG_NLS is not set +CONFIG_NLS=y +CONFIG_NLS_CODEPAGE_437=y +CONFIG_NLS_ISO8859_1=y # CONFIG_DLM is not set CONFIG_UNICODE=y # CONFIG_UNICODE_NORMALIZATION_SELFTEST is not set @@ -2619,6 +2621,7 @@ CONFIG_KEY_DH_OPERATIONS=y # CONFIG_HARDENED_USERCOPY is not set # CONFIG_FORTIFY_SOURCE is not set # CONFIG_STATIC_USERMODEHELPER is not set +CONFIG_SECURITY_SELINUX=y CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" diff --git a/config-libkrunfw_x86_64 b/config-libkrunfw_x86_64 index 8fb4eb1..09e9bc7 100644 --- a/config-libkrunfw_x86_64 +++ b/config-libkrunfw_x86_64 @@ -1653,14 +1653,14 @@ CONFIG_FS_IOMAP=y CONFIG_EXT4_FS=y CONFIG_EXT4_USE_FOR_EXT2=y # CONFIG_EXT4_FS_POSIX_ACL is not set -# CONFIG_EXT4_FS_SECURITY is not set +CONFIG_EXT4_FS_SECURITY=y # CONFIG_EXT4_DEBUG is not set CONFIG_JBD2=y # CONFIG_JBD2_DEBUG is not set CONFIG_FS_MBCACHE=y # CONFIG_REISERFS_FS is not set # CONFIG_JFS_FS is not set -# CONFIG_XFS_FS is not set +CONFIG_XFS_FS=y # CONFIG_GFS2_FS is not set # CONFIG_BTRFS_FS is not set # CONFIG_NILFS2_FS is not set @@ -1704,7 +1704,7 @@ CONFIG_FUSE_DAX=y # DOS/FAT/EXFAT/NT Filesystems # # CONFIG_MSDOS_FS is not set -# CONFIG_VFAT_FS is not set +CONFIG_VFAT_FS=y # CONFIG_EXFAT_FS is not set # CONFIG_NTFS_FS is not set # CONFIG_NTFS3_FS is not set @@ -1739,7 +1739,7 @@ CONFIG_ARCH_HAS_GIGANTIC_PAGE=y # CONFIG_NETWORK_FILESYSTEMS is not set CONFIG_NLS=y CONFIG_NLS_DEFAULT="utf8" -# CONFIG_NLS_CODEPAGE_437 is not set +CONFIG_NLS_CODEPAGE_437=y # CONFIG_NLS_CODEPAGE_737 is not set # CONFIG_NLS_CODEPAGE_775 is not set # CONFIG_NLS_CODEPAGE_850 is not set @@ -1763,7 +1763,7 @@ CONFIG_NLS_DEFAULT="utf8" # CONFIG_NLS_CODEPAGE_1250 is not set # CONFIG_NLS_CODEPAGE_1251 is not set # CONFIG_NLS_ASCII is not set -# CONFIG_NLS_ISO8859_1 is not set +CONFIG_NLS_ISO8859_1=y # CONFIG_NLS_ISO8859_2 is not set # CONFIG_NLS_ISO8859_3 is not set # CONFIG_NLS_ISO8859_4 is not set @@ -1812,7 +1812,7 @@ CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y # CONFIG_HARDENED_USERCOPY is not set CONFIG_FORTIFY_SOURCE=y # CONFIG_STATIC_USERMODEHELPER is not set -# CONFIG_SECURITY_SELINUX is not set +CONFIG_SECURITY_SELINUX=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set @@ -1823,7 +1823,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_LANDLOCK is not set # CONFIG_INTEGRITY is not set CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" +CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,selinux,bpf" # # Kernel hardening options diff --git a/patches/0010-Transparent-Socket-Impersonation-implementation.patch b/patches/0010-Transparent-Socket-Impersonation-implementation.patch index d1913a1..9a56ad9 100644 --- a/patches/0010-Transparent-Socket-Impersonation-implementation.patch +++ b/patches/0010-Transparent-Socket-Impersonation-implementation.patch @@ -22,15 +22,17 @@ TODO - implement remote [get|set]sockopt Signed-off-by: Sergio Lopez --- - include/linux/socket.h | 4 +- - net/Kconfig | 1 + - net/Makefile | 1 + - net/socket.c | 1 + - net/tsi/Kconfig | 7 + - net/tsi/Makefile | 4 + - net/tsi/af_tsi.c | 1280 ++++++++++++++++++++++++++++++++++++++++ - net/tsi/af_tsi.h | 100 ++++ - 8 files changed, 1397 insertions(+), 1 deletion(-) + include/linux/socket.h | 4 +- + net/Kconfig | 1 + + net/Makefile | 1 + + net/socket.c | 1 + + net/tsi/Kconfig | 7 + + net/tsi/Makefile | 4 + + net/tsi/af_tsi.c | 1280 +++++++++++++++++++++++++++ + net/tsi/af_tsi.h | 100 +++ + security/selinux/hooks.c | 2 +- + security/selinux/include/classmap.h | 2 +- + 10 files changed, 1399 insertions(+), 3 deletions(-) create mode 100644 net/tsi/Kconfig create mode 100644 net/tsi/Makefile create mode 100644 net/tsi/af_tsi.c @@ -1507,6 +1509,31 @@ index 000000000000..cf381734bebe +} __attribute__((packed)); + +#endif +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 53cfeefb2f19..428801687e5c 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -1295,7 +1295,7 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc + return SECCLASS_XDP_SOCKET; + case PF_MCTP: + return SECCLASS_MCTP_SOCKET; +-#if PF_MAX > 46 ++#if PF_MAX > 47 + #error New address family defined, please update this function. + #endif + } +diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h +index a3c380775d41..06cb017611f8 100644 +--- a/security/selinux/include/classmap.h ++++ b/security/selinux/include/classmap.h +@@ -259,6 +259,6 @@ const struct security_class_mapping secclass_map[] = { + { NULL } + }; + +-#if PF_MAX > 46 ++#if PF_MAX > 47 + #error New address family defined, please update secclass_map. + #endif -- 2.43.0