mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-30 06:10:56 +00:00
Code Issues Releases Wiki Activity

security: introduce CONFIG_SECURITY_WRITABLE_HOOKS

Browse source 
Subsequent patches will add RO hardening to LSM hooks, however, SELinux
still needs to be able to perform runtime disablement after init to handle
architectures where init-time disablement via boot parameters is not feasible.

Introduce a new kernel configuration parameter CONFIG_SECURITY_WRITABLE_HOOKS,
and a helper macro __lsm_ro_after_init, to handle this case.

Signed-off-by: James Morris <james.l.morris@oracle.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
James Morris 2017-02-15 00:17:24 +11:00 committed by James Morris
parent 84e6885e9e
commit dd0859dccb
3 changed files with 18 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
include/linux/lsm_hooks.h
View file

@ -1920,6 +1920,13 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
} }
#endif /* CONFIG_SECURITY_SELINUX_DISABLE */ #endif /* CONFIG_SECURITY_SELINUX_DISABLE */
/* Currently required to handle SELinux runtime hook disable. */
#ifdef CONFIG_SECURITY_WRITABLE_HOOKS
#define __lsm_ro_after_init
#else
#define __lsm_ro_after_init __ro_after_init
#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */
extern int __init security_module_enable(const char *module); extern int __init security_module_enable(const char *module);
extern void __init capability_add_hooks(void); extern void __init capability_add_hooks(void);
#ifdef CONFIG_SECURITY_YAMA #ifdef CONFIG_SECURITY_YAMA

5
security/Kconfig
View file

@ -31,6 +31,11 @@ config SECURITY
If you are unsure how to answer this question, answer N. If you are unsure how to answer this question, answer N.
config SECURITY_WRITABLE_HOOKS
depends on SECURITY
bool
default n
config SECURITYFS config SECURITYFS
bool "Enable the securityfs filesystem" bool "Enable the securityfs filesystem"
help help

6
security/selinux/Kconfig
View file

@ -40,6 +40,7 @@ config SECURITY_SELINUX_BOOTPARAM_VALUE
config SECURITY_SELINUX_DISABLE config SECURITY_SELINUX_DISABLE
bool "NSA SELinux runtime disable" bool "NSA SELinux runtime disable"
depends on SECURITY_SELINUX depends on SECURITY_SELINUX
select SECURITY_WRITABLE_HOOKS
default n default n
help help
This option enables writing to a selinuxfs node 'disable', which This option enables writing to a selinuxfs node 'disable', which
@ -50,6 +51,11 @@ config SECURITY_SELINUX_DISABLE
portability across platforms where boot parameters are difficult portability across platforms where boot parameters are difficult
to employ. to employ.
NOTE: selecting this option will disable the '__ro_after_init'
kernel hardening feature for security hooks. Please consider
using the selinux=0 boot parameter instead of enabling this
option.
If you are unsure how to answer this question, answer N. If you are unsure how to answer this question, answer N.
config SECURITY_SELINUX_DEVELOP config SECURITY_SELINUX_DEVELOP