feat:lsm_bbg_support

2025-12-16 13:42:00 -05:00 · 2025-10-09 12:40:06 +08:00
parent e7b2b4892a
commit 51c3213124
2 changed files with 32 additions and 4 deletions
--- a/.github/workflows/build-gki-kernel.yml
+++ b/.github/workflows/build-gki-kernel.yml
@@ -23,6 +23,11 @@ on:
        required: false
        default: "false"
        type: boolean
+      enable_lsm:
+        description: "Enable LSM_BBG support"
+        required: false
+        default: "false"
+        type: boolean
      lto_solution:
        description: "Select the level of lto"
        required: false
@@ -267,9 +272,9 @@ jobs:
            cd ../
            patch -p1 --fuzz=3 --ignore-whitespace < 50_add_susfs_in_gki-android14-6.1.patch || true

-            echo "✅ Susfs patch step finished"
+            echo "✅ SUSFS patch step finished"
          else
-            echo "ℹ️ Susfs patches skipped"
+            echo "ℹ️ SUSFS patches skipped"
          fi

      - name: Enable SCHED support
@@ -286,6 +291,28 @@ jobs:
           echo "ℹ️ SCHED skipped"
          fi

+      - name: Enable LSM_BBG support
+        run: |
+          if [ "${{ inputs.enable_lsm }}" = "true" ]; then
+            cd $GITHUB_WORKSPACE/kernel/android_kernel_oneplus_sm8650
+            echo "正在启用内核级基带保护支持…"
+            wget -O- https://github.com/vc-teahouse/Baseband-guard/raw/main/setup.sh | bash
+            sed -i '/^config LSM$/,/^help$/{ /^[[:space:]]*default/ { /baseband_guard/! s/landlock/landlock,baseband_guard/ } }' security/Kconfig
+            
+            mkdir -p kernel/configs
+            printf '%s\n' \
+              '# Fragment config for enabling LSM' \
+              'CONFIG_BBG=y' > kernel/configs/lsm.config
+
+            export ARCH=arm64
+            export KCONFIG_CONFIG=arch/arm64/configs/config_defconfig.new
+            scripts/kconfig/merge_config.sh -m arch/arm64/configs/config_defconfig kernel/configs/lsm.config
+            mv arch/arm64/configs/config_defconfig.new arch/arm64/configs/config_defconfig
+            echo "✅ LSM_BBG step finished"
+          else
+           echo "ℹ️ LSM_BBG skipped"
+          fi
+
      - name: Build kernel
        run: |
          set -euo pipefail
--- a/README.md
+++ b/README.md
@@ -18,10 +18,11 @@
 - Use clang-r547379
 - Enable ThinLTO/FullLTO to build
 - Enable Root support : kernelsu/SukiSU/kernelsu-next
- Enable SCHED support : Enable Fengchi scx scheduling
- Enable SUSFS support : You can build susfs into kernel
 - Enable BBR support : Enable bbr congestion control algorithm
 - Enable ZRAM support : Enable extra zram algorithm(LZ4KD/LZ4K_oplus)
+- Enable SUSFS support : You can build susfs into kernel
+- Enable SCHED support : Enable Fengchi scx scheduling
+- Enable LSM_BBG support ：block unauthorized writes to critical partitions/device nodes
 - Enable Anykernel3 support : Packaged as a zip package of anykernel3

 To be continued...