From b2d1f058ecc9087233316098970c12b8b4c32889 Mon Sep 17 00:00:00 2001 From: David Shaub Date: Thu, 7 Jan 2021 20:24:15 -0700 Subject: [PATCH 1/3] kernel flags for apparmor --- kernel/packages/prawnos-linux-image-armhf/README.md | 2 +- kernel/resources/armhf/libre-config | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/packages/prawnos-linux-image-armhf/README.md b/kernel/packages/prawnos-linux-image-armhf/README.md index 1a3b31c0a..ec7a1f4ba 100644 --- a/kernel/packages/prawnos-linux-image-armhf/README.md +++ b/kernel/packages/prawnos-linux-image-armhf/README.md @@ -11,7 +11,7 @@ prawnos linux kernel images have 3 version numbers, each representing a different type of change. This is to keep versioning organized, and to make the debian packaging system happy. the format is: -`prawnos-linus-image-armhf_--` +`prawnos-linux-image-armhf_--` upstream_kver changes with a new version of the linux kernel prawnos_kver changes when new patches are added or a config change occurs diff --git a/kernel/resources/armhf/libre-config b/kernel/resources/armhf/libre-config index b986bd421..1041b23e3 100644 --- a/kernel/resources/armhf/libre-config +++ b/kernel/resources/armhf/libre-config @@ -5760,6 +5760,9 @@ CONFIG_ENCRYPTED_KEYS=y # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_SECURITY=y CONFIG_SECURITYFS=y +CONFIG_SECURITY_APPARMOR=y +CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 +CONFIG_SECURITY_APPARMOR_HASH=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_SECURITY_PATH=y From 2d1e989885dc13139c75a1ffdb7f5ec9a7db9f70 Mon Sep 17 00:00:00 2001 From: David Shaub Date: Thu, 7 Jan 2021 21:24:40 -0700 Subject: [PATCH 2/3] shellcheck fixes --- kernel/resources/shared/FlashKernelPartition.sh | 2 +- scripts/InstallScripts/InstallPackages.sh | 2 +- scripts/InstallScripts/InstallPrawnOS.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/resources/shared/FlashKernelPartition.sh b/kernel/resources/shared/FlashKernelPartition.sh index 56b7b0882..e75261577 100755 --- a/kernel/resources/shared/FlashKernelPartition.sh +++ b/kernel/resources/shared/FlashKernelPartition.sh @@ -36,7 +36,7 @@ get_emmc_devname() { local devname=$(ls /dev/mmcblk* | grep -F boot0 | sed "s/boot0//") if [ -z "$devname" ] then - echo "Unknown device! can't determine emmc devname. Please file an issue with the output of fdisk -l if you get this on a supported device"; exit 1;; + echo "Unknown device! can't determine emmc devname. Please file an issue with the output of fdisk -l if you get this on a supported device"; exit 1; fi echo $devname } diff --git a/scripts/InstallScripts/InstallPackages.sh b/scripts/InstallScripts/InstallPackages.sh index 1282643b5..accea08ed 100755 --- a/scripts/InstallScripts/InstallPackages.sh +++ b/scripts/InstallScripts/InstallPackages.sh @@ -37,7 +37,7 @@ get_emmc_devname() { local devname=$(ls /dev/mmcblk* | grep -F boot0 | sed "s/boot0//") if [ -z "$devname" ] then - echo "Unknown device! can't determine emmc devname. Please file an issue with the output of fdisk -l if you get this on a supported device"; exit 1;; + echo "Unknown device! can't determine emmc devname. Please file an issue with the output of fdisk -l if you get this on a supported device"; exit 1; fi echo $devname } diff --git a/scripts/InstallScripts/InstallPrawnOS.sh b/scripts/InstallScripts/InstallPrawnOS.sh index 701b06acf..f5b25b432 100755 --- a/scripts/InstallScripts/InstallPrawnOS.sh +++ b/scripts/InstallScripts/InstallPrawnOS.sh @@ -40,7 +40,7 @@ get_emmc_devname() { local devname=$(ls /dev/mmcblk* | grep -F boot0 | sed "s/boot0//") if [ -z "$devname" ] then - echo "Unknown device! can't determine emmc devname. Please file an issue with the output of fdisk -l if you get this on a supported device"; exit 1;; + echo "Unknown device! can't determine emmc devname. Please file an issue with the output of fdisk -l if you get this on a supported device"; exit 1; fi echo $devname } From de7da322fdfbe3bb7ead849192092cb45df9856e Mon Sep 17 00:00:00 2001 From: David Shaub Date: Tue, 12 Jan 2021 19:27:03 -0700 Subject: [PATCH 3/3] more apparmor settings --- kernel/resources/armhf/libre-config | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/kernel/resources/armhf/libre-config b/kernel/resources/armhf/libre-config index 1041b23e3..c236199a1 100644 --- a/kernel/resources/armhf/libre-config +++ b/kernel/resources/armhf/libre-config @@ -5757,12 +5757,12 @@ CONFIG_KEYS=y # CONFIG_TRUSTED_KEYS is not set CONFIG_ENCRYPTED_KEYS=y # CONFIG_KEY_DH_OPERATIONS is not set -# CONFIG_SECURITY_DMESG_RESTRICT is not set +CONFIG_SECURITY_DMESG_RESTRICT=y CONFIG_SECURITY=y CONFIG_SECURITYFS=y -CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 CONFIG_SECURITY_APPARMOR_HASH=y +SECURITY_APPARMOR_HASH_DEFAULT=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_NETWORK_XFRM is not set CONFIG_SECURITY_PATH=y @@ -5775,7 +5775,7 @@ CONFIG_HARDENED_USERCOPY_FALLBACK=y CONFIG_STATIC_USERMODEHELPER=y CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper" CONFIG_SECURITY_SELINUX=y -CONFIG_SECURITY_SELINUX_BOOTPARAM=y +# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set # CONFIG_SECURITY_SELINUX_DISABLE is not set CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y @@ -5784,7 +5784,7 @@ CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9 CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256 # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set -# CONFIG_SECURITY_APPARMOR is not set +CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_LOADPIN=y # CONFIG_SECURITY_LOADPIN_ENFORCE is not set CONFIG_SECURITY_YAMA=y @@ -5795,10 +5795,10 @@ CONFIG_INTEGRITY=y CONFIG_INTEGRITY_AUDIT=y # CONFIG_IMA is not set # CONFIG_EVM is not set -CONFIG_DEFAULT_SECURITY_SELINUX=y +CONFIG_DEFAULT_SECURITY_APPARMOR=y +# CONFIG_DEFAULT_SECURITY_SELINUX is not set # CONFIG_DEFAULT_SECURITY_DAC is not set CONFIG_LSM="yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" - # # Kernel hardening options #