Hey, can we add apparmor support to dist kernels? The following options are needed/enabled: --- /var/tmp/portage/sys-kernel/gentoo-kernel-5.15.24/work/modprep/.config 2022-03-10 15:40:39.660656219 +0200 +++ ./apparmord.config 2022-03-10 15:40:08.997377856 +0200 @@ -8451,7 +8451,10 @@ CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256 # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set -# CONFIG_SECURITY_APPARMOR is not set +CONFIG_SECURITY_APPARMOR=y +CONFIG_SECURITY_APPARMOR_HASH=y +CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y +# CONFIG_SECURITY_APPARMOR_DEBUG is not set # CONFIG_SECURITY_LOADPIN is not set CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set @@ -8483,6 +8486,7 @@ CONFIG_EVM_ATTR_FSUUID=y # CONFIG_EVM_ADD_XATTRS is not set # CONFIG_DEFAULT_SECURITY_SELINUX is not set +# CONFIG_DEFAULT_SECURITY_APPARMOR is not set CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_LSM="yama" Note that the parts: # CONFIG_DEFAULT_SECURITY_SELINUX is not set # CONFIG_DEFAULT_SECURITY_APPARMOR is not set requires one to be selected via boot parameters, and therefore this shouldn't break anyone's setup.
Could you submit a PR to https://github.com/mgorny/gentoo-kernel-config ?
Now in the following kernels: gentoo-kernel-5.10.107.ebuild gentoo-kernel-5.15.30.ebuild gentoo-kernel-5.16.16.ebuild gentoo-kernel-5.4.186.ebuild
https://github.com/mgorny/gentoo-kernel-config/commit/40cb676e372ee6d5ec4df9a97c8cbcd57ef3458e
