From 342e858d6648fdf5875ca819f6aa851d76851e0f Mon Sep 17 00:00:00 2001
From: Vincent Batts <vbatts@kinvolk.io>
Date: Thu, 27 Aug 2020 14:14:40 -0400
Subject: [PATCH] sys-kernel: make lockdown available

This will not be enabled by default, and still requires the "lockdown"
kernel parameter. Users can test by setting in
`/usr/share/oem/grub.cfg`:
```
set linux_append="lockdown=integrity"
```

After this is set, dmesg output you'll see:
```
[    0.000000] Kernel is locked down from command line; see man
kernel_lockdown.7
```

Signed-off-by: Vincent Batts <vbatts@kinvolk.io>
---
 .../sys-kernel/coreos-modules/files/commonconfig-5.8            | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-5.8 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-5.8
index 7080578e04..4b8edaef18 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-5.8
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-5.8
@@ -792,6 +792,8 @@ CONFIG_SCSI_SYM53C8XX_2=m
 CONFIG_SCSI_VIRTIO=m
 CONFIG_SCTP_COOKIE_HMAC_SHA1=y
 CONFIG_SECURITY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_SELINUX=y