mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-30 06:10:56 +00:00
security: introduce CONFIG_SECURITY_WRITABLE_HOOKS
Subsequent patches will add RO hardening to LSM hooks, however, SELinux still needs to be able to perform runtime disablement after init to handle architectures where init-time disablement via boot parameters is not feasible. Introduce a new kernel configuration parameter CONFIG_SECURITY_WRITABLE_HOOKS, and a helper macro __lsm_ro_after_init, to handle this case. Signed-off-by: James Morris <james.l.morris@oracle.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
parent
84e6885e9e
commit
dd0859dccb
3 changed files with 18 additions and 0 deletions
|
@ -1920,6 +1920,13 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
|
||||||
}
|
}
|
||||||
#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
|
#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
|
||||||
|
|
||||||
|
/* Currently required to handle SELinux runtime hook disable. */
|
||||||
|
#ifdef CONFIG_SECURITY_WRITABLE_HOOKS
|
||||||
|
#define __lsm_ro_after_init
|
||||||
|
#else
|
||||||
|
#define __lsm_ro_after_init __ro_after_init
|
||||||
|
#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */
|
||||||
|
|
||||||
extern int __init security_module_enable(const char *module);
|
extern int __init security_module_enable(const char *module);
|
||||||
extern void __init capability_add_hooks(void);
|
extern void __init capability_add_hooks(void);
|
||||||
#ifdef CONFIG_SECURITY_YAMA
|
#ifdef CONFIG_SECURITY_YAMA
|
||||||
|
|
|
@ -31,6 +31,11 @@ config SECURITY
|
||||||
|
|
||||||
If you are unsure how to answer this question, answer N.
|
If you are unsure how to answer this question, answer N.
|
||||||
|
|
||||||
|
config SECURITY_WRITABLE_HOOKS
|
||||||
|
depends on SECURITY
|
||||||
|
bool
|
||||||
|
default n
|
||||||
|
|
||||||
config SECURITYFS
|
config SECURITYFS
|
||||||
bool "Enable the securityfs filesystem"
|
bool "Enable the securityfs filesystem"
|
||||||
help
|
help
|
||||||
|
|
|
@ -40,6 +40,7 @@ config SECURITY_SELINUX_BOOTPARAM_VALUE
|
||||||
config SECURITY_SELINUX_DISABLE
|
config SECURITY_SELINUX_DISABLE
|
||||||
bool "NSA SELinux runtime disable"
|
bool "NSA SELinux runtime disable"
|
||||||
depends on SECURITY_SELINUX
|
depends on SECURITY_SELINUX
|
||||||
|
select SECURITY_WRITABLE_HOOKS
|
||||||
default n
|
default n
|
||||||
help
|
help
|
||||||
This option enables writing to a selinuxfs node 'disable', which
|
This option enables writing to a selinuxfs node 'disable', which
|
||||||
|
@ -50,6 +51,11 @@ config SECURITY_SELINUX_DISABLE
|
||||||
portability across platforms where boot parameters are difficult
|
portability across platforms where boot parameters are difficult
|
||||||
to employ.
|
to employ.
|
||||||
|
|
||||||
|
NOTE: selecting this option will disable the '__ro_after_init'
|
||||||
|
kernel hardening feature for security hooks. Please consider
|
||||||
|
using the selinux=0 boot parameter instead of enabling this
|
||||||
|
option.
|
||||||
|
|
||||||
If you are unsure how to answer this question, answer N.
|
If you are unsure how to answer this question, answer N.
|
||||||
|
|
||||||
config SECURITY_SELINUX_DEVELOP
|
config SECURITY_SELINUX_DEVELOP
|
||||||
|
|
Loading…
Reference in a new issue