From: Denys Dmytriyenko Date: Wed, 14 Dec 2022 22:05:29 +0000 (+0000) Subject: linux: config: add systemd sandboxing fragment X-Git-Tag: 14.92.0~1 X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=commitdiff_plain;h=1bc5a0b03a11e649e739a32ff9bc1449053d9773;p=AGL%2Fmeta-agl.git linux: config: add systemd sandboxing fragment Add a kernel config fragment that enables additional features needed for systemd sandboxing support, using Classic BPF (Berkeley Packet Filter) kernel framework. Eventually this will be extended with more advanced features using eBPF (extended BPF), BTF (BPF Type Format) and LSM (Lunux Security Module) frameworks. Bug-AGL: SPEC-4627 Change-Id: I9ed21c654b2e0298be66073750dab6920e49b0c9 Signed-off-by: Denys Dmytriyenko Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28297 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller --- diff --git a/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc b/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc index 2a86931a8..e42ae823d 100644 --- a/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc +++ b/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc @@ -42,6 +42,7 @@ AGL_KCONFIG_FRAGMENTS += " \ audit.cfg \ ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux.cfg', '', d)} \ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-required.cfg', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-sandbox.cfg', '', d)} \ " AGL_KCONFIG_FRAGMENTS += " ${@bb.utils.contains('AGL_XEN_GUEST_WANTED','1','xen_domu.cfg','',d)}" diff --git a/meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg b/meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg new file mode 100644 index 000000000..d451d554c --- /dev/null +++ b/meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg @@ -0,0 +1,9 @@ +CONFIG_BPF=y +CONFIG_BPF_SYSCALL=y +CONFIG_NET_CLS_BPF=m +CONFIG_NET_ACT_BPF=m +CONFIG_BPF_JIT=y +CONFIG_HAVE_EBPF_JIT=y +CONFIG_BPF_EVENTS=y +CONFIG_BPF_LSM=y +CONFIG_CGROUP_BPF=y