From b74aeb04cd428f4a3349c463933b21a503b5002f Mon Sep 17 00:00:00 2001 From: Jeff Mahoney Date: Mar 29 2023 12:57:17 +0000 Subject: config: update CONFIG_LSM defaults (bsc#1205603). CONFIG_LSM determines what the default order of LSM usage is. The default order is set based on whether AppArmor or SELinux is preferred in the config (we still prefer AppArmor). The default set has changed over time and we haven't updated it, leading to things like bpf LSMs not working out of the box. This change just updates CONFIG_LSM to what the default would be now. --- diff --git a/config/arm64/default b/config/arm64/default index 3ef262f..5b4ba1c 100644 --- a/config/arm64/default +++ b/config/arm64/default @@ -12241,7 +12241,7 @@ CONFIG_EVM_ADD_XATTRS=y # CONFIG_DEFAULT_SECURITY_TOMOYO is not set CONFIG_DEFAULT_SECURITY_APPARMOR=y # CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_LSM="integrity,apparmor" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" # # Kernel hardening options diff --git a/config/armv6hl/default b/config/armv6hl/default index 3c65f9a..37bc4a3 100644 --- a/config/armv6hl/default +++ b/config/armv6hl/default @@ -8413,7 +8413,7 @@ CONFIG_EVM_ADD_XATTRS=y # CONFIG_DEFAULT_SECURITY_TOMOYO is not set CONFIG_DEFAULT_SECURITY_APPARMOR=y # CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_LSM="integrity,apparmor" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" # # Kernel hardening options diff --git a/config/armv7hl/default b/config/armv7hl/default index 2f108b9..c4f6f30 100644 --- a/config/armv7hl/default +++ b/config/armv7hl/default @@ -11807,7 +11807,7 @@ CONFIG_EVM_ADD_XATTRS=y # CONFIG_DEFAULT_SECURITY_TOMOYO is not set CONFIG_DEFAULT_SECURITY_APPARMOR=y # CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_LSM="integrity,apparmor" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" # # Kernel hardening options diff --git a/config/i386/pae b/config/i386/pae index 91d85c5..f5b4ecd 100644 --- a/config/i386/pae +++ b/config/i386/pae @@ -10394,7 +10394,7 @@ CONFIG_EVM_ADD_XATTRS=y # CONFIG_DEFAULT_SECURITY_TOMOYO is not set CONFIG_DEFAULT_SECURITY_APPARMOR=y # CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_LSM="integrity,apparmor" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" # # Kernel hardening options diff --git a/config/ppc64/default b/config/ppc64/default index 684d4af..5610939 100644 --- a/config/ppc64/default +++ b/config/ppc64/default @@ -8153,7 +8153,7 @@ CONFIG_EVM_ADD_XATTRS=y # CONFIG_DEFAULT_SECURITY_TOMOYO is not set CONFIG_DEFAULT_SECURITY_APPARMOR=y # CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_LSM="integrity,apparmor" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" # # Kernel hardening options diff --git a/config/ppc64le/default b/config/ppc64le/default index 2ce3c54..1ac1bf0 100644 --- a/config/ppc64le/default +++ b/config/ppc64le/default @@ -8036,7 +8036,7 @@ CONFIG_EVM_ADD_XATTRS=y # CONFIG_DEFAULT_SECURITY_TOMOYO is not set CONFIG_DEFAULT_SECURITY_APPARMOR=y # CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_LSM="integrity,apparmor" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" # # Kernel hardening options diff --git a/config/riscv64/default b/config/riscv64/default index ccfdbf9..0e61f47 100644 --- a/config/riscv64/default +++ b/config/riscv64/default @@ -9365,7 +9365,7 @@ CONFIG_EVM_ADD_XATTRS=y # CONFIG_DEFAULT_SECURITY_TOMOYO is not set CONFIG_DEFAULT_SECURITY_APPARMOR=y # CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_LSM="integrity,apparmor" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" # # Kernel hardening options diff --git a/config/s390x/default b/config/s390x/default index 31e345d..8f1d2f8 100644 --- a/config/s390x/default +++ b/config/s390x/default @@ -4059,7 +4059,7 @@ CONFIG_EVM_ADD_XATTRS=y # CONFIG_DEFAULT_SECURITY_TOMOYO is not set CONFIG_DEFAULT_SECURITY_APPARMOR=y # CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_LSM="integrity,apparmor" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" # # Kernel hardening options diff --git a/config/x86_64/default b/config/x86_64/default index 6325101..34efe40 100644 --- a/config/x86_64/default +++ b/config/x86_64/default @@ -10361,7 +10361,7 @@ CONFIG_EVM_ADD_XATTRS=y # CONFIG_DEFAULT_SECURITY_TOMOYO is not set CONFIG_DEFAULT_SECURITY_APPARMOR=y # CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_LSM="integrity,apparmor" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" # # Kernel hardening options