V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4200_boot/4250_update_grub_bootparameter.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Options in "GRUB_CMDLINE_LINUX" are always effective.
+### Options in "GRUB_CMDLINE_LINUX" are always effective, (incl. recovery).
 ### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
 
 guard_sourcing
@@ -25,6 +25,7 @@ guard_sourcing
 #   VAR_DROPBEAR
 #   VAR_NUKE
 #   VAR_NUKE_HASH
+#   VAR_SEC_FW
 #   VV_GRUB_CMDLINE_LINUX
 #   VV_GRUB_CMDLINE_LINUX_DEFAULT
 # Arguments:
@@ -55,6 +56,16 @@ update_grub_bootparameter() {
 
   done
 
+  if [[ "${VAR_SEC_FW}" == "apparmor" ]]; then
+
+    VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} apparmor=1 security=apparmor lsm=lockdown,yama,integrity,apparmor,bpf"
+
+  elif [[ "${VAR_SEC_FW}" == "selinux" ]]; then
+
+    ### We start in permissive mode first, so we don't pass 'enforcing=1' through the command line.
+    VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} selinux=1 security=selinux"
+
+  fi
 
   if [[ "${VAR_DROPBEAR}" == "true" ]]; then
     var_label="${HMP_PATH_ENCLABEL["/"]}"