From 4af563ce0fcefa5cfd6d7c81efafd2e1976d0318 Mon Sep 17 00:00:00 2001
From: Harald Sitter <sitter@kde.org>
Date: Fri, 15 Mar 2024 02:10:23 +0100
Subject: [PATCH] setup apparmor by default

needed for snapd confinement
---
 mkosi.postinst.chroot | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/mkosi.postinst.chroot b/mkosi.postinst.chroot
index 1c4a80c..d0b478c 100755
--- a/mkosi.postinst.chroot
+++ b/mkosi.postinst.chroot
@@ -223,7 +223,9 @@ ukify build \
   --initrd initrd \
   --cmdline @cmdline \
   --output live.efi
+# lsm= defaulting to apparmor from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/Kconfig
 echo "native ro root=PARTLABEL=KDEOS rootflags=subvol=@kdeos_$IMAGE_VERSION \
+  lsm=landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf \
   rd.systemd.debug_shell=on systemd.debug_shell=on SYSTEMD_SULOGIN_FORCE=1 \
   console=ttyS0 console=tty0 \
   systemd.log_level=debug systemd.log_target=kmsg log_buf_len=1M printk.devkmsg=on" > cmdline