Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

security: introduce CONFIG_SECURITY_WRITABLE_HOOKS

Subsequent patches will add RO hardening to LSM hooks, however, SELinux
still needs to be able to perform runtime disablement after init to handle
architectures where init-time disablement via boot parameters is not feasible.

Introduce a new kernel configuration parameter CONFIG_SECURITY_WRITABLE_HOOKS,
and a helper macro __lsm_ro_after_init, to handle this case.

Signed-off-by: James Morris <james.l.morris@oracle.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Kees Cook <keescook@chromium.org>
James Morris 8 years ago
parent
84e6885e9e
commit
dd0859dccb
3 changed files with 18 additions and 0 deletions
Split View Show Diff Stats
  1. 7 0
      include/linux/lsm_hooks.h
  2. 5 0
      security/Kconfig
  3. 6 0
      security/selinux/Kconfig

+ 7 - 0
include/linux/lsm_hooks.h
View File 

@@ -1920,6 +1920,13 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
 
 }
 
 #endif /* CONFIG_SECURITY_SELINUX_DISABLE */
 
 
+/* Currently required to handle SELinux runtime hook disable. */
 
+#ifdef CONFIG_SECURITY_WRITABLE_HOOKS
 
+#define __lsm_ro_after_init
 
+#else
 
+#define __lsm_ro_after_init	__ro_after_init
 
+#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */
 
+
 
 extern int __init security_module_enable(const char *module);
 
 extern void __init capability_add_hooks(void);
 
 #ifdef CONFIG_SECURITY_YAMA

+ 5 - 0
security/Kconfig
View File 

@@ -31,6 +31,11 @@ config SECURITY
 
 
 	  If you are unsure how to answer this question, answer N.
 
 
+config SECURITY_WRITABLE_HOOKS
 
+	depends on SECURITY
 
+	bool
 
+	default n
 
+
 
 config SECURITYFS
 
 	bool "Enable the securityfs filesystem"
 
 	help

+ 6 - 0
security/selinux/Kconfig
View File 

@@ -40,6 +40,7 @@ config SECURITY_SELINUX_BOOTPARAM_VALUE
 
 config SECURITY_SELINUX_DISABLE
 
 	bool "NSA SELinux runtime disable"
 
 	depends on SECURITY_SELINUX
 
+	select SECURITY_WRITABLE_HOOKS
 
 	default n
 
 	help
 
 	  This option enables writing to a selinuxfs node 'disable', which
 
@@ -50,6 +51,11 @@ config SECURITY_SELINUX_DISABLE
 
 	  portability across platforms where boot parameters are difficult
 
 	  to employ.
 
 
+	  NOTE: selecting this option will disable the '__ro_after_init'
 
+	  kernel hardening feature for security hooks.   Please consider
 
+	  using the selinux=0 boot parameter instead of enabling this
 
+	  option.
 
+
 
 	  If you are unsure how to answer this question, answer N.
 
 
 config SECURITY_SELINUX_DEVELOP