defconfig

# Minimal dependencies.
CONFIG_AUDIT=y
CONFIG_NET=y
CONFIG_INET=y
CONFIG_IPV6=y
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_SELINUX=y

# For testing of labeled IPSEC, NetLabel, and SECMARK functionality.
# Not strictly required for basic SELinux operation.
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_NETLABEL=y
CONFIG_IP_NF_SECURITY=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_AH=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_AH=m
CONFIG_CRYPTO_SHA1=m # used for testing, could be updated if desired
CONFIG_NETWORK_SECMARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m # used for testing sctp

# Filesystem security labeling support.
# Only need to enable the ones for the filesystems on which you are testing.
# reiserfs is not supported.
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_JFS_SECURITY=y
CONFIG_XFS_SECURITY=y
CONFIG_JFFS2_FS_SECURITY=y

# Network protocol implementations.
# These are enabled to test the extended socket classes in
# tests/extended_socket_class; they are not required
# for SELinux operation itself.
CONFIG_IP_SCTP=m
CONFIG_BT=m
CONFIG_CRYPTO_USER_API=m

# Network protocol implementations.
# These are enabled to run sctp ASCONF tests using a GRE tunnel
CONFIG_NET_IPGRE_DEMUX=m
CONFIG_NET_IPGRE=m
CONFIG_NET_IPGRE_BROADCAST=y
CONFIG_IPV6_GRE=m

# Netlink protocol implementations.
# These are enabled to test the netlink socket controls in
# tests/netlink_socket; they are not required for SELinux operation itself.
CONFIG_SCSI_ISCSI_ATTRS=m
CONFIG_NETFILTER_NETLINK=m
CONFIG_CRYPTO_USER=m
CONFIG_NF_TABLES=m

# Overlay fs.
# This is enabled to test overlayfs SELinux integration.
# It is not required for SELinux operation itself.
CONFIG_OVERLAY_FS=m

# Android binder implementations.
# These are enabled to test the binder controls in
# tests/binder; they are not required for SELinux operation itself.
CONFIG_ANDROID=y
CONFIG_ANDROID_BINDER_DEVICES="binder"
CONFIG_ANDROID_BINDER_IPC=y
# This will configure the Dynamically Allocated Binder Devices added
# to 5.0+ kernels:
CONFIG_ANDROID_BINDERFS=y

# Test BPF + check in selinux_file_receive and selinux_binder_transfer_files.
# They are not required for SELinux operation itself.
CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y

# Keys implementation.
# These are enabled to test the key controls in tests/keys; they are
# not required for SELinux operation itself.
CONFIG_KEYS=y
CONFIG_KEYS_COMPAT=y
CONFIG_KEY_DH_OPERATIONS=y

# Test key management socket.
# This is not required for SELinux operation itself.
CONFIG_NET_KEY=m

# Test TUN/TAP driver support.
# This is not required for SELinux operation itself.
CONFIG_TUN=m

# Test perf events.
# This is not required for SELinux operation itself.
CONFIG_HAVE_PERF_EVENTS=y
CONFIG_PERF_EVENTS=y
CONFIG_TRACEPOINTS=y

# Test filesystem permissions.
# This is not required for SELinux operation itself.
CONFIG_BLK_DEV_LOOP=m
CONFIG_BLK_DEV_LOOP_MIN_COUNT=0
CONFIG_QFMT_V2=y

# Test labeled NFS.
# This is not required for SELinux operation itself.
CONFIG_NFS_FS=m
CONFIG_NFS_V4=m
CONFIG_NFS_V4_1=y
CONFIG_NFS_V4_2=y
CONFIG_NFS_V4_SECURITY_LABEL=y
CONFIG_NFSD=m
CONFIG_NFSD_V4=y
CONFIG_NFSD_V4_SECURITY_LABEL=y

# Test XFS and VFAT filesystems.
# This is not required for SELinux operation itself.
CONFIG_XFS_FS=m
CONFIG_XFS_QUOTA=y
CONFIG_VFAT_FS=m
CONFIG_FAT_DEFAULT_IOCHARSET="ascii"

# watch_queue for key changes.
# They are not required for SELinux operation itself.
CONFIG_WATCH_QUEUE=y
CONFIG_KEY_NOTIFICATIONS=y

# Test lockdown permissions (via tracefs and debugfs).
# This is not required for SELinux operation itself.
CONFIG_TRACING=y
CONFIG_DEBUG_FS=y