Enable other LSMs

Lockdown is a useful and needed thing, thanks to consta@ for ideas about it.
Other LSMs may also be useful (nowadays multiple LSMs can be enabled, so enable as many as possible so thet users sould use them).

Answered with default values to most questions.
Reporting of granted accesses (CONFIG_SECURITY_SMACK_BRINGUP) and packet marking (CONFIG_SECURITY_SMACK_NETFILTER) in SMACK were enbaled
for debug and because it may be potentially useful. We do not have plans to use SMACK for now by default.

kernel-arm64.config

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm64 5.15.65 Kernel Configuration
+# Linux/arm64 5.15.74 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0 20210728 (ROSA)"
 CONFIG_CC_IS_GCC=y
@@ -11996,14 +11996,31 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
 CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
 CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
-# CONFIG_SECURITY_SMACK is not set
+CONFIG_SECURITY_SMACK=y
-# CONFIG_SECURITY_TOMOYO is not set
+CONFIG_SECURITY_SMACK_BRINGUP=y
-# CONFIG_SECURITY_APPARMOR is not set
+CONFIG_SECURITY_SMACK_NETFILTER=y
-# CONFIG_SECURITY_LOADPIN is not set
+# CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set
-# CONFIG_SECURITY_YAMA is not set
+CONFIG_SECURITY_TOMOYO=y
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
-# CONFIG_SECURITY_LANDLOCK is not set
+# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set
+CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init"
+CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init"
+# CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is not set
+CONFIG_SECURITY_APPARMOR=y
+CONFIG_SECURITY_APPARMOR_HASH=y
+CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
+# CONFIG_SECURITY_APPARMOR_DEBUG is not set
+CONFIG_SECURITY_LOADPIN=y
+# CONFIG_SECURITY_LOADPIN_ENFORCE is not set
+CONFIG_SECURITY_YAMA=y
+CONFIG_SECURITY_SAFESETID=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+CONFIG_SECURITY_LANDLOCK=y
 CONFIG_SECURITY_ALTHA=y
 # CONFIG_SECURITY_KIOSK is not set
 CONFIG_INTEGRITY=y
@@ -12039,10 +12056,14 @@ CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
 # CONFIG_IMA_DISABLE_HTABLE is not set
 CONFIG_EVM=y
 CONFIG_EVM_ATTR_FSUUID=y
+CONFIG_EVM_EXTRA_SMACK_XATTRS=y
 CONFIG_EVM_ADD_XATTRS=y
 CONFIG_DEFAULT_SECURITY_SELINUX=y
+# CONFIG_DEFAULT_SECURITY_SMACK is not set
+# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
+# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
 # CONFIG_DEFAULT_SECURITY_DAC is not set
-CONFIG_LSM="yama,loadpin,integrity,selinux,apparmor,bpf,altha"
+CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf,altha,kiosk"
 
 #
 # Kernel hardening options

kernel-i686.config

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.15.65 Kernel Configuration
+# Linux/x86 5.15.74 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0 20210728 (ROSA)"
 CONFIG_CC_IS_GCC=y
@@ -10361,14 +10361,31 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
 CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
 CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
-# CONFIG_SECURITY_SMACK is not set
+CONFIG_SECURITY_SMACK=y
-# CONFIG_SECURITY_TOMOYO is not set
+CONFIG_SECURITY_SMACK_BRINGUP=y
-# CONFIG_SECURITY_APPARMOR is not set
+CONFIG_SECURITY_SMACK_NETFILTER=y
-# CONFIG_SECURITY_LOADPIN is not set
+# CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set
-# CONFIG_SECURITY_YAMA is not set
+CONFIG_SECURITY_TOMOYO=y
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
-# CONFIG_SECURITY_LANDLOCK is not set
+# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set
+CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init"
+CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init"
+# CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is not set
+CONFIG_SECURITY_APPARMOR=y
+CONFIG_SECURITY_APPARMOR_HASH=y
+CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
+# CONFIG_SECURITY_APPARMOR_DEBUG is not set
+CONFIG_SECURITY_LOADPIN=y
+# CONFIG_SECURITY_LOADPIN_ENFORCE is not set
+CONFIG_SECURITY_YAMA=y
+CONFIG_SECURITY_SAFESETID=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+CONFIG_SECURITY_LANDLOCK=y
 CONFIG_SECURITY_ALTHA=y
 # CONFIG_SECURITY_KIOSK is not set
 CONFIG_INTEGRITY=y
@@ -10403,10 +10420,14 @@ CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
 # CONFIG_IMA_DISABLE_HTABLE is not set
 CONFIG_EVM=y
 CONFIG_EVM_ATTR_FSUUID=y
+CONFIG_EVM_EXTRA_SMACK_XATTRS=y
 CONFIG_EVM_ADD_XATTRS=y
 CONFIG_DEFAULT_SECURITY_SELINUX=y
+# CONFIG_DEFAULT_SECURITY_SMACK is not set
+# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
+# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
 # CONFIG_DEFAULT_SECURITY_DAC is not set
-CONFIG_LSM="yama,loadpin,integrity,selinux,apparmor,bpf,altha"
+CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf,altha,kiosk"
 
 #
 # Kernel hardening options

kernel-x86_64.config

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.15.65 Kernel Configuration
+# Linux/x86 5.15.74 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0 20210728 (ROSA)"
 CONFIG_CC_IS_GCC=y
@@ -10205,14 +10205,31 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
 CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
 CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
-# CONFIG_SECURITY_SMACK is not set
+CONFIG_SECURITY_SMACK=y
-# CONFIG_SECURITY_TOMOYO is not set
+CONFIG_SECURITY_SMACK_BRINGUP=y
-# CONFIG_SECURITY_APPARMOR is not set
+CONFIG_SECURITY_SMACK_NETFILTER=y
-# CONFIG_SECURITY_LOADPIN is not set
+# CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set
-# CONFIG_SECURITY_YAMA is not set
+CONFIG_SECURITY_TOMOYO=y
-# CONFIG_SECURITY_SAFESETID is not set
+CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048
-# CONFIG_SECURITY_LOCKDOWN_LSM is not set
+CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
-# CONFIG_SECURITY_LANDLOCK is not set
+# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set
+CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init"
+CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init"
+# CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is not set
+CONFIG_SECURITY_APPARMOR=y
+CONFIG_SECURITY_APPARMOR_HASH=y
+CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
+# CONFIG_SECURITY_APPARMOR_DEBUG is not set
+CONFIG_SECURITY_LOADPIN=y
+# CONFIG_SECURITY_LOADPIN_ENFORCE is not set
+CONFIG_SECURITY_YAMA=y
+CONFIG_SECURITY_SAFESETID=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
+# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+CONFIG_SECURITY_LANDLOCK=y
 CONFIG_SECURITY_ALTHA=y
 # CONFIG_SECURITY_KIOSK is not set
 CONFIG_INTEGRITY=y
@@ -10247,10 +10264,14 @@ CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
 # CONFIG_IMA_DISABLE_HTABLE is not set
 CONFIG_EVM=y
 CONFIG_EVM_ATTR_FSUUID=y
+CONFIG_EVM_EXTRA_SMACK_XATTRS=y
 CONFIG_EVM_ADD_XATTRS=y
 CONFIG_DEFAULT_SECURITY_SELINUX=y
+# CONFIG_DEFAULT_SECURITY_SMACK is not set
+# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
+# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
 # CONFIG_DEFAULT_SECURITY_DAC is not set
-CONFIG_LSM="yama,loadpin,integrity,selinux,apparmor,bpf,altha"
+CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf,altha,kiosk"
 
 #
 # Kernel hardening options