From cc532533b84c19e4cfc470747a6328cc356d1f9c Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Fri, 2 Jun 2023 17:25:23 +0200
Subject: [PATCH] mkosi: Enable more options

We build with support for selinux/apparmor where applicable but
disable them at runtime as even in permissive mode they're horribly
broken.
---
 mkosi.conf.d/10-systemd.conf                             | 4 ++++
 mkosi.presets/00-base/mkosi.build                        | 8 ++++++++
 mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf | 2 ++
 3 files changed, 14 insertions(+)

diff --git a/mkosi.conf.d/10-systemd.conf b/mkosi.conf.d/10-systemd.conf
index 78b438b5db9..7cc3e8c4eb1 100644
--- a/mkosi.conf.d/10-systemd.conf
+++ b/mkosi.conf.d/10-systemd.conf
@@ -39,3 +39,7 @@ KernelCommandLineExtra=systemd.crash_shell
                        # Lower the default device timeout so we get a shell earlier if the root device does
                        # not appear for some reason.
                        systemd.default_device_timeout_sec=10
+                       # Make sure no LSMs are enabled by default.
+                       apparmor=0
+                       selinux=0
+                       enforcing=0
diff --git a/mkosi.presets/00-base/mkosi.build b/mkosi.presets/00-base/mkosi.build
index eb18d27577d..d31eb338c63 100755
--- a/mkosi.presets/00-base/mkosi.build
+++ b/mkosi.presets/00-base/mkosi.build
@@ -134,6 +134,14 @@ if [ ! -f "$BUILDDIR"/build.ninja ]; then
         -D analyze=true
         -D bpf-framework=true
         -D ukify=true
+        -D seccomp=true
+        -D selinux=auto
+        -D apparmor=auto
+        -D smack=true
+        -D ima=true
+        -D first-boot-full-preset=true
+        -D initrd=true
+        -D fexecve=true
     )
 
     # On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/.
diff --git a/mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf
index 920e50e42b9..1c4cb2d7acc 100644
--- a/mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf
+++ b/mkosi.presets/00-base/mkosi.conf.d/10-debian-ubuntu.conf
@@ -6,6 +6,7 @@ Distribution=debian ubuntu
 [Content]
 Packages=
         dmsetup
+        libapparmor1
         libfdisk1
         libfido2-1
         libglib2.0-0
@@ -28,6 +29,7 @@ BuildPackages=
         dpkg-dev
         g++
         libacl1-dev
+        libapparmor-dev
         libaudit-dev
         libblkid-dev
         libbpf-dev