setup apparmor by default

needed for snapd confinement
2026-04-18 13:40:01 -04:00 · 2024-03-15 02:10:23 +01:00
parent 3c586ffe60
commit 4af563ce0f
1 changed files with 2 additions and 0 deletions
--- a/mkosi.postinst.chroot
+++ b/mkosi.postinst.chroot
@@ -223,7 +223,9 @@ ukify build \
  --initrd initrd \
  --cmdline @cmdline \
  --output live.efi
+# lsm= defaulting to apparmor from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/Kconfig
 echo "native ro root=PARTLABEL=KDEOS rootflags=subvol=@kdeos_$IMAGE_VERSION \
+  lsm=landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf \
  rd.systemd.debug_shell=on systemd.debug_shell=on SYSTEMD_SULOGIN_FORCE=1 \
  console=ttyS0 console=tty0 \
  systemd.log_level=debug systemd.log_target=kmsg log_buf_len=1M printk.devkmsg=on" > cmdline