linux: config: add systemd sandboxing fragment

Add a kernel config fragment that enables additional features needed for
systemd sandboxing support, using Classic BPF (Berkeley Packet Filter)
kernel framework. Eventually this will be extended with more advanced
features using eBPF (extended BPF), BTF (BPF Type Format) and LSM (Lunux
Security Module) frameworks.

Bug-AGL: SPEC-4627
Change-Id: I9ed21c654b2e0298be66073750dab6920e49b0c9
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28297
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>

diff --git a/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc b/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc
index 2a86931..e42ae82 100644 (file)
--- a/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc
+++ b/meta-agl-core/recipes-kernel/linux/linux-agl-config.inc
@@ -42,6 +42,7 @@ AGL_KCONFIG_FRAGMENTS += " \
     audit.cfg \
     ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux.cfg', '', d)} \
     ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-required.cfg', '', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-sandbox.cfg', '', d)} \
 "
 
 AGL_KCONFIG_FRAGMENTS += " ${@bb.utils.contains('AGL_XEN_GUEST_WANTED','1','xen_domu.cfg','',d)}"

diff --git a/meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg b/meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg
new file mode 100644 (file)
index 0000000..d451d55
--- /dev/null
+++ b/meta-agl-core/recipes-kernel/linux/linux/systemd-sandbox.cfg
@@ -0,0 +1,9 @@
+CONFIG_BPF=y
+CONFIG_BPF_SYSCALL=y
+CONFIG_NET_CLS_BPF=m
+CONFIG_NET_ACT_BPF=m
+CONFIG_BPF_JIT=y
+CONFIG_HAVE_EBPF_JIT=y
+CONFIG_BPF_EVENTS=y
+CONFIG_BPF_LSM=y
+CONFIG_CGROUP_BPF=y