dashboard/config/linux: update riscv config

Enable CMDLINE_EXTEND as we intend to append our args
to bootloader command line.

Switch from SELINUX to APPARMOR.
SELINUX does not work in buildroot with the default policy.

5 files changed, 29 insertions, 31 deletions

diff --git a/dashboard/config/linux/bits/kasan.yml b/dashboard/config/linux/bits/kasan.yml
index 53d689cc1..91557d722 100644
--- a/dashboard/config/linux/bits/kasan.yml
+++ b/dashboard/config/linux/bits/kasan.yml
@@ -7,7 +7,7 @@ config:
  - KASAN_INLINE: [-arm]
  - KASAN_STACK_ENABLE: [clang, -v5.11]
  - KASAN_STACK: [clang, v5.11]
- - KASAN_VMALLOC: [x86_64, v5.5]
+ - KASAN_VMALLOC: [v5.5, -arm, -arm64, -s390, -riscv]
  # This was historically enabled in the KASAN section without explanation.
  - SPARSEMEM_VMEMMAP: [-arm]
  # This is required to enable SPARSEMEM_VMEMMAP.
diff --git a/dashboard/config/linux/bits/riscv64.yml b/dashboard/config/linux/bits/riscv64.yml
index 5fdeb4ace..14d520201 100644
--- a/dashboard/config/linux/bits/riscv64.yml
+++ b/dashboard/config/linux/bits/riscv64.yml
@@ -7,6 +7,7 @@ shell:
 
 config:
  - CMDLINE: [append, "watchdog_thresh=165 workqueue.watchdog_thresh=420"]
+ - CMDLINE_EXTEND
  # See the comment in x86_64.yml re these numbers.
  - RCU_CPU_STALL_TIMEOUT: 300
  - DEFAULT_HUNG_TASK_TIMEOUT: 420
diff --git a/dashboard/config/linux/main.yml b/dashboard/config/linux/main.yml
index 9aaf62d48..99aa8c399 100644
--- a/dashboard/config/linux/main.yml
+++ b/dashboard/config/linux/main.yml
@@ -14,7 +14,7 @@ instances:
  # TODO: enable kasan when it works, currently Go binaries hang on KASAN kernel:
  # https://lore.kernel.org/linux-arm-kernel/CACT4Y+YdJoNTqnBSELcEbcbVsKBtJfYUc7_GSXbUQfAJN3JyRg@mail.gmail.com/
  - upstream-arm-kasan:		[upstream, arm, gcc, lsm, selinux]
- - upstream-riscv64-kasan:	[upstream, riscv, gcc, lsm, selinux, kasan]
+ - upstream-riscv64-kasan:	[upstream, riscv, gcc, lsm, apparmor, kasan]
  - upstream-s390-kasan:		[upstream, s390, gcc, lsm, selinux, nonoise, kasan]
  - stable-5.4-kasan:		[stable-5.4, x86_64, gcc, lsm, apparmor, kasan]
  - android-5.4:			[android, android-5.4, x86_64, clang, onlyusb, nonoise, kasan]
diff --git a/dashboard/config/linux/upstream-riscv64-kasan-base.config b/dashboard/config/linux/upstream-riscv64-kasan-base.config
index e68c3816b..e8f26e650 100644
--- a/dashboard/config/linux/upstream-riscv64-kasan-base.config
+++ b/dashboard/config/linux/upstream-riscv64-kasan-base.config
@@ -151,6 +151,7 @@ CONFIG_CHECKPOINT_RESTORE=y
 # CONFIG_RELAY is not set
 CONFIG_BLK_DEV_INITRD=y
 CONFIG_INITRAMFS_SOURCE=""
+# CONFIG_INITRAMFS_FORCE is not set
 CONFIG_RD_GZIP=y
 CONFIG_RD_BZIP2=y
 CONFIG_RD_LZMA=y
@@ -287,8 +288,8 @@ CONFIG_RISCV_SBI_V01=y
 # Boot options
 #
 CONFIG_CMDLINE="earlyprintk=serial oops=panic nmi_watchdog=panic panic=86400 net.ifnames=0 sysctl.kernel.hung_task_all_cpu_backtrace=1 ima_policy=tcb kvm-intel.nested=1 nf-conntrack-ftp.ports=20000 nf-conntrack-tftp.ports=20000 nf-conntrack-sip.ports=20000 nf-conntrack-irc.ports=20000 nf-conntrack-sane.ports=20000 vivid.n_devs=16 vivid.multiplanar=1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2 netrom.nr_ndevs=16 rose.rose_ndevs=16 spec_store_bypass_disable=prctl numa=fake=2 nopcid dummy_hcd.num=8 binder.debug_mask=0 rcupdate.rcu_expedited=1 watchdog_thresh=165 workqueue.watchdog_thresh=420 panic_on_warn=1"
-CONFIG_CMDLINE_FALLBACK=y
-# CONFIG_CMDLINE_EXTEND is not set
+# CONFIG_CMDLINE_FALLBACK is not set
+CONFIG_CMDLINE_EXTEND=y
 # CONFIG_CMDLINE_FORCE is not set
 CONFIG_EFI_STUB=y
 CONFIG_EFI=y
@@ -565,7 +566,7 @@ CONFIG_IPV6_NDISC_NODETYPE=y
 # CONFIG_IPV6_RPL_LWTUNNEL is not set
 # CONFIG_NETLABEL is not set
 # CONFIG_MPTCP is not set
-CONFIG_NETWORK_SECMARK=y
+# CONFIG_NETWORK_SECMARK is not set
 # CONFIG_NETWORK_PHY_TIMESTAMPING is not set
 # CONFIG_NETFILTER is not set
 # CONFIG_BPFILTER is not set
@@ -3134,27 +3135,24 @@ CONFIG_SECURITY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_PATH=y
-CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
 CONFIG_HARDENED_USERCOPY=y
 CONFIG_HARDENED_USERCOPY_FALLBACK=y
 # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
 # CONFIG_STATIC_USERMODEHELPER is not set
-CONFIG_SECURITY_SELINUX=y
-# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
-# CONFIG_SECURITY_SELINUX_DISABLE is not set
-# CONFIG_SECURITY_SELINUX_DEVELOP is not set
-# CONFIG_SECURITY_SELINUX_AVC_STATS is not set
-CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
-CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
-CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
+# CONFIG_SECURITY_SELINUX is not set
 # CONFIG_SECURITY_SMACK is not set
 CONFIG_SECURITY_TOMOYO=y
 CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=1024
 CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=32
 CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y
 CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING=y
-# CONFIG_SECURITY_APPARMOR is not set
+CONFIG_SECURITY_APPARMOR=y
+CONFIG_SECURITY_APPARMOR_HASH=y
+CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
+CONFIG_SECURITY_APPARMOR_DEBUG=y
+CONFIG_SECURITY_APPARMOR_DEBUG_ASSERTS=y
+# CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES is not set
 # CONFIG_SECURITY_LOADPIN is not set
 CONFIG_SECURITY_YAMA=y
 CONFIG_SECURITY_SAFESETID=y
@@ -3192,10 +3190,10 @@ CONFIG_EVM=y
 CONFIG_EVM_ATTR_FSUUID=y
 CONFIG_EVM_ADD_XATTRS=y
 # CONFIG_EVM_LOAD_X509 is not set
-CONFIG_DEFAULT_SECURITY_SELINUX=y
 # CONFIG_DEFAULT_SECURITY_TOMOYO is not set
+CONFIG_DEFAULT_SECURITY_APPARMOR=y
 # CONFIG_DEFAULT_SECURITY_DAC is not set
-CONFIG_LSM="lockdown,yama,safesetid,integrity,tomoyo,selinux,bpf"
+CONFIG_LSM="lockdown,yama,safesetid,integrity,tomoyo,apparmor,bpf"
 
 #
 # Kernel hardening options
@@ -3425,6 +3423,7 @@ CONFIG_XXHASH=y
 CONFIG_AUDIT_GENERIC=y
 # CONFIG_RANDOM32_SELFTEST is not set
 CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
 CONFIG_LZO_DECOMPRESS=y
 CONFIG_LZ4_DECOMPRESS=y
 CONFIG_ZSTD_DECOMPRESS=y
diff --git a/dashboard/config/linux/upstream-riscv64-kasan.config b/dashboard/config/linux/upstream-riscv64-kasan.config
index a9411d50f..d7ff91419 100644
--- a/dashboard/config/linux/upstream-riscv64-kasan.config
+++ b/dashboard/config/linux/upstream-riscv64-kasan.config
@@ -163,6 +163,7 @@ CONFIG_CHECKPOINT_RESTORE=y
 # CONFIG_RELAY is not set
 CONFIG_BLK_DEV_INITRD=y
 CONFIG_INITRAMFS_SOURCE=""
+# CONFIG_INITRAMFS_FORCE is not set
 CONFIG_RD_GZIP=y
 CONFIG_RD_BZIP2=y
 CONFIG_RD_LZMA=y
@@ -308,8 +309,8 @@ CONFIG_RISCV_SBI_V01=y
 # Boot options
 #
 CONFIG_CMDLINE="earlyprintk=serial oops=panic nmi_watchdog=panic panic=86400 net.ifnames=0 sysctl.kernel.hung_task_all_cpu_backtrace=1 ima_policy=tcb kvm-intel.nested=1 nf-conntrack-ftp.ports=20000 nf-conntrack-tftp.ports=20000 nf-conntrack-sip.ports=20000 nf-conntrack-irc.ports=20000 nf-conntrack-sane.ports=20000 vivid.n_devs=16 vivid.multiplanar=1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2 netrom.nr_ndevs=16 rose.rose_ndevs=16 spec_store_bypass_disable=prctl numa=fake=2 nopcid dummy_hcd.num=8 binder.debug_mask=0 rcupdate.rcu_expedited=1 watchdog_thresh=165 workqueue.watchdog_thresh=420 panic_on_warn=1"
-CONFIG_CMDLINE_FALLBACK=y
-# CONFIG_CMDLINE_EXTEND is not set
+# CONFIG_CMDLINE_FALLBACK is not set
+CONFIG_CMDLINE_EXTEND=y
 # CONFIG_CMDLINE_FORCE is not set
 CONFIG_EFI_STUB=y
 CONFIG_EFI=y
@@ -6990,27 +6991,24 @@ CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_INFINIBAND=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
-CONFIG_LSM_MMAP_MIN_ADDR=65536
 CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
 CONFIG_HARDENED_USERCOPY=y
 CONFIG_HARDENED_USERCOPY_FALLBACK=y
 # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
 # CONFIG_STATIC_USERMODEHELPER is not set
-CONFIG_SECURITY_SELINUX=y
-# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
-# CONFIG_SECURITY_SELINUX_DISABLE is not set
-# CONFIG_SECURITY_SELINUX_DEVELOP is not set
-# CONFIG_SECURITY_SELINUX_AVC_STATS is not set
-CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
-CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
-CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
+# CONFIG_SECURITY_SELINUX is not set
 # CONFIG_SECURITY_SMACK is not set
 CONFIG_SECURITY_TOMOYO=y
 CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=1024
 CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=32
 CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y
 CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING=y
-# CONFIG_SECURITY_APPARMOR is not set
+CONFIG_SECURITY_APPARMOR=y
+CONFIG_SECURITY_APPARMOR_HASH=y
+CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
+CONFIG_SECURITY_APPARMOR_DEBUG=y
+CONFIG_SECURITY_APPARMOR_DEBUG_ASSERTS=y
+# CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES is not set
 # CONFIG_SECURITY_LOADPIN is not set
 CONFIG_SECURITY_YAMA=y
 CONFIG_SECURITY_SAFESETID=y
@@ -7052,10 +7050,10 @@ CONFIG_EVM=y
 CONFIG_EVM_ATTR_FSUUID=y
 CONFIG_EVM_ADD_XATTRS=y
 # CONFIG_EVM_LOAD_X509 is not set
-CONFIG_DEFAULT_SECURITY_SELINUX=y
 # CONFIG_DEFAULT_SECURITY_TOMOYO is not set
+CONFIG_DEFAULT_SECURITY_APPARMOR=y
 # CONFIG_DEFAULT_SECURITY_DAC is not set
-CONFIG_LSM="lockdown,yama,safesetid,integrity,tomoyo,selinux,bpf"
+CONFIG_LSM="lockdown,yama,safesetid,integrity,tomoyo,apparmor,bpf"
 
 #
 # Kernel hardening options