Add libseccomp (#2389)

* Add security library libseccomp

Enable libseccomp to activate seccomp support in HAOS. This will compile
systemd and Docker with seccomp support.

Note: Traditionally Supervisor required to disable seccomp. This seems
no longer to be the case with current Supervisor, but it needs further
testing. All containers started by Supervisor get currently started with
seccomp disabled.

* Enable seccomp in the kernel

buildroot-external/configs/generic_aarch64_defconfig

@@ -72,6 +72,7 @@ BR2_PACKAGE_CA_CERTIFICATES=y
 BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y

buildroot-external/configs/generic_x86_64_defconfig

@@ -74,6 +74,7 @@ BR2_PACKAGE_CA_CERTIFICATES=y
 BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y

buildroot-external/configs/khadas_vim3_defconfig

@@ -57,6 +57,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y

buildroot-external/configs/odroid_c2_defconfig

@@ -57,6 +57,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y

buildroot-external/configs/odroid_c4_defconfig

@@ -55,6 +55,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y

buildroot-external/configs/odroid_n2_defconfig

@@ -57,6 +57,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y

buildroot-external/configs/odroid_xu4_defconfig

@@ -57,6 +57,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y

buildroot-external/configs/ova_defconfig

@@ -76,6 +76,7 @@ BR2_PACKAGE_CA_CERTIFICATES=y
 BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y

buildroot-external/configs/rpi2_defconfig

@@ -61,6 +61,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y

buildroot-external/configs/rpi3_64_defconfig

@@ -63,6 +63,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y

buildroot-external/configs/rpi3_defconfig

@@ -64,6 +64,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y

buildroot-external/configs/rpi4_64_defconfig

@@ -64,6 +64,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y

buildroot-external/configs/rpi4_defconfig

@@ -63,6 +63,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y

buildroot-external/configs/tinker_defconfig

@@ -59,6 +59,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y

buildroot-external/configs/yellow_defconfig

@@ -64,6 +64,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y

buildroot-external/kernel/hassos.config

@@ -22,7 +22,9 @@ CONFIG_SQUASHFS_XATTR=y
 CONFIG_SQUASHFS_LZ4=y
 CONFIG_BTRFS_FS=m
 
-# CONFIG_SECCOMP is not set
+CONFIG_SECCOMP=y
+CONFIG_SECCOMP_FILTER=y
+
 CONFIG_AUDIT=y
 CONFIG_SECURITY=y
 CONFIG_SECURITY_APPARMOR=y