mkosi: Enable more options

We build with support for selinux/apparmor where applicable but disable them at runtime as even in permissive mode they're horribly broken.
2024-10-27 10:25:37 +03:00 · 2023-06-02 17:25:23 +02:00 · 2023-06-02 17:25:23 +02:00 · cc532533b8
commit cc532533b8
parent 8f9a307fec
3 changed files with 14 additions and 0 deletions
--- a/mkosi.conf.d/10-systemd.conf
+++ b/mkosi.conf.d/10-systemd.conf
@ -39,3 +39,7 @@ KernelCommandLineExtra=systemd.crash_shell
                       # Lower the default device timeout so we get a shell earlier if the root device does
                       # not appear for some reason.
                       systemd.default_device_timeout_sec=10
+                       # Make sure no LSMs are enabled by default.
+                       apparmor=0
+                       selinux=0
+                       enforcing=0
--- a/mkosi.presets/00-base/mkosi.build
+++ b/mkosi.presets/00-base/mkosi.build
@ -134,6 +134,14 @@ if [ ! -f "$BUILDDIR"/build.ninja ]; then
        -D analyze=true
        -D bpf-framework=true
        -D ukify=true
+        -D seccomp=true
+        -D selinux=auto
+        -D apparmor=auto
+        -D smack=true
+        -D ima=true
+        -D first-boot-full-preset=true
+        -D initrd=true
+        -D fexecve=true
    )

    # On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/.
--- a/mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf
+++ b/mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf
@ -6,6 +6,7 @@ Distribution=debian ubuntu
 [Content]
 Packages=
        dmsetup
+        libapparmor1
        libfdisk1
        libfido2-1
        libglib2.0-0
@ -28,6 +29,7 @@ BuildPackages=
        dpkg-dev
        g++
        libacl1-dev
+        libapparmor-dev
        libaudit-dev
        libblkid-dev
        libbpf-dev