From a93781c3608c4ffb816b00042caf878683f03d00 Mon Sep 17 00:00:00 2001
From: Stefan Agner <stefan@agner.ch>
Date: Wed, 8 Mar 2023 00:38:28 +0100
Subject: [PATCH] Add libseccomp (#2389)

* Add security library libseccomp

Enable libseccomp to activate seccomp support in HAOS. This will compile
systemd and Docker with seccomp support.

Note: Traditionally Supervisor required to disable seccomp. This seems
no longer to be the case with current Supervisor, but it needs further
testing. All containers started by Supervisor get currently started with
seccomp disabled.

* Enable seccomp in the kernel
---
 buildroot-external/configs/generic_aarch64_defconfig | 1 +
 buildroot-external/configs/generic_x86_64_defconfig  | 1 +
 buildroot-external/configs/khadas_vim3_defconfig     | 1 +
 buildroot-external/configs/odroid_c2_defconfig       | 1 +
 buildroot-external/configs/odroid_c4_defconfig       | 1 +
 buildroot-external/configs/odroid_n2_defconfig       | 1 +
 buildroot-external/configs/odroid_xu4_defconfig      | 1 +
 buildroot-external/configs/ova_defconfig             | 1 +
 buildroot-external/configs/rpi2_defconfig            | 1 +
 buildroot-external/configs/rpi3_64_defconfig         | 1 +
 buildroot-external/configs/rpi3_defconfig            | 1 +
 buildroot-external/configs/rpi4_64_defconfig         | 1 +
 buildroot-external/configs/rpi4_defconfig            | 1 +
 buildroot-external/configs/tinker_defconfig          | 1 +
 buildroot-external/configs/yellow_defconfig          | 1 +
 buildroot-external/kernel/hassos.config              | 4 +++-
 16 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/buildroot-external/configs/generic_aarch64_defconfig b/buildroot-external/configs/generic_aarch64_defconfig
index c0e468c9b..1b727b93f 100644
--- a/buildroot-external/configs/generic_aarch64_defconfig
+++ b/buildroot-external/configs/generic_aarch64_defconfig
@@ -72,6 +72,7 @@ BR2_PACKAGE_CA_CERTIFICATES=y
 BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y
diff --git a/buildroot-external/configs/generic_x86_64_defconfig b/buildroot-external/configs/generic_x86_64_defconfig
index 84afb2f8a..3337a42f5 100644
--- a/buildroot-external/configs/generic_x86_64_defconfig
+++ b/buildroot-external/configs/generic_x86_64_defconfig
@@ -74,6 +74,7 @@ BR2_PACKAGE_CA_CERTIFICATES=y
 BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y
diff --git a/buildroot-external/configs/khadas_vim3_defconfig b/buildroot-external/configs/khadas_vim3_defconfig
index b6d06a385..1b88f47fd 100644
--- a/buildroot-external/configs/khadas_vim3_defconfig
+++ b/buildroot-external/configs/khadas_vim3_defconfig
@@ -57,6 +57,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y
diff --git a/buildroot-external/configs/odroid_c2_defconfig b/buildroot-external/configs/odroid_c2_defconfig
index 5dd24ce9e..4ae4cfdbe 100644
--- a/buildroot-external/configs/odroid_c2_defconfig
+++ b/buildroot-external/configs/odroid_c2_defconfig
@@ -57,6 +57,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y
diff --git a/buildroot-external/configs/odroid_c4_defconfig b/buildroot-external/configs/odroid_c4_defconfig
index e35e72853..54d0af343 100644
--- a/buildroot-external/configs/odroid_c4_defconfig
+++ b/buildroot-external/configs/odroid_c4_defconfig
@@ -55,6 +55,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y
diff --git a/buildroot-external/configs/odroid_n2_defconfig b/buildroot-external/configs/odroid_n2_defconfig
index 712e67b6e..b550017d7 100644
--- a/buildroot-external/configs/odroid_n2_defconfig
+++ b/buildroot-external/configs/odroid_n2_defconfig
@@ -57,6 +57,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y
diff --git a/buildroot-external/configs/odroid_xu4_defconfig b/buildroot-external/configs/odroid_xu4_defconfig
index c9d9b6174..83194caa3 100644
--- a/buildroot-external/configs/odroid_xu4_defconfig
+++ b/buildroot-external/configs/odroid_xu4_defconfig
@@ -57,6 +57,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y
diff --git a/buildroot-external/configs/ova_defconfig b/buildroot-external/configs/ova_defconfig
index 1501f1f94..398ff24b4 100644
--- a/buildroot-external/configs/ova_defconfig
+++ b/buildroot-external/configs/ova_defconfig
@@ -76,6 +76,7 @@ BR2_PACKAGE_CA_CERTIFICATES=y
 BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y
diff --git a/buildroot-external/configs/rpi2_defconfig b/buildroot-external/configs/rpi2_defconfig
index 500e50251..b6c069c2f 100644
--- a/buildroot-external/configs/rpi2_defconfig
+++ b/buildroot-external/configs/rpi2_defconfig
@@ -61,6 +61,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y
diff --git a/buildroot-external/configs/rpi3_64_defconfig b/buildroot-external/configs/rpi3_64_defconfig
index 0bda08281..7767bac14 100644
--- a/buildroot-external/configs/rpi3_64_defconfig
+++ b/buildroot-external/configs/rpi3_64_defconfig
@@ -63,6 +63,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y
diff --git a/buildroot-external/configs/rpi3_defconfig b/buildroot-external/configs/rpi3_defconfig
index 3d5bf7d14..5426a422b 100644
--- a/buildroot-external/configs/rpi3_defconfig
+++ b/buildroot-external/configs/rpi3_defconfig
@@ -64,6 +64,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y
diff --git a/buildroot-external/configs/rpi4_64_defconfig b/buildroot-external/configs/rpi4_64_defconfig
index 53199269f..853f81a7e 100644
--- a/buildroot-external/configs/rpi4_64_defconfig
+++ b/buildroot-external/configs/rpi4_64_defconfig
@@ -64,6 +64,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y
diff --git a/buildroot-external/configs/rpi4_defconfig b/buildroot-external/configs/rpi4_defconfig
index 62bd3709e..6b5444896 100644
--- a/buildroot-external/configs/rpi4_defconfig
+++ b/buildroot-external/configs/rpi4_defconfig
@@ -63,6 +63,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y
diff --git a/buildroot-external/configs/tinker_defconfig b/buildroot-external/configs/tinker_defconfig
index 1e2af2b90..cc4f06a39 100644
--- a/buildroot-external/configs/tinker_defconfig
+++ b/buildroot-external/configs/tinker_defconfig
@@ -59,6 +59,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y
diff --git a/buildroot-external/configs/yellow_defconfig b/buildroot-external/configs/yellow_defconfig
index 6a72f93f9..e03028630 100644
--- a/buildroot-external/configs/yellow_defconfig
+++ b/buildroot-external/configs/yellow_defconfig
@@ -64,6 +64,7 @@ BR2_PACKAGE_LIBCURL_CURL=y
 BR2_PACKAGE_LIBDNET=y
 BR2_PACKAGE_LIBCGROUP=y
 BR2_PACKAGE_LIBCGROUP_TOOLS=y
+BR2_PACKAGE_LIBSECCOMP=y
 BR2_PACKAGE_BLUEZ5_UTILS=y
 BR2_PACKAGE_BLUEZ5_UTILS_CLIENT=y
 BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_AUDIO=y
diff --git a/buildroot-external/kernel/hassos.config b/buildroot-external/kernel/hassos.config
index 1e9602610..4879831ab 100644
--- a/buildroot-external/kernel/hassos.config
+++ b/buildroot-external/kernel/hassos.config
@@ -22,7 +22,9 @@ CONFIG_SQUASHFS_XATTR=y
 CONFIG_SQUASHFS_LZ4=y
 CONFIG_BTRFS_FS=m
 
-# CONFIG_SECCOMP is not set
+CONFIG_SECCOMP=y
+CONFIG_SECCOMP_FILTER=y
+
 CONFIG_AUDIT=y
 CONFIG_SECURITY=y
 CONFIG_SECURITY_APPARMOR=y