Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dd0859dc authored by James Morris's avatar James Morris Committed by James Morris
Browse files

security: introduce CONFIG_SECURITY_WRITABLE_HOOKS 



Subsequent patches will add RO hardening to LSM hooks, however, SELinux
still needs to be able to perform runtime disablement after init to handle
architectures where init-time disablement via boot parameters is not feasible.

Introduce a new kernel configuration parameter CONFIG_SECURITY_WRITABLE_HOOKS,
and a helper macro __lsm_ro_after_init, to handle this case.

Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
Acked-by: default avatarKees Cook <keescook@chromium.org>
parent 84e6885e

include/linux/lsm_hooks.h

+7 −0
Original line number Original line Diff line number Diff line
@@ -1920,6 +1920,13 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, 
}

}

#endif /* CONFIG_SECURITY_SELINUX_DISABLE */

#endif /* CONFIG_SECURITY_SELINUX_DISABLE */





/* Currently required to handle SELinux runtime hook disable. */

#ifdef CONFIG_SECURITY_WRITABLE_HOOKS

#define __lsm_ro_after_init

#else

#define __lsm_ro_after_init	__ro_after_init

#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */



extern int __init security_module_enable(const char *module);

extern int __init security_module_enable(const char *module);

extern void __init capability_add_hooks(void);

extern void __init capability_add_hooks(void);

#ifdef CONFIG_SECURITY_YAMA

#ifdef CONFIG_SECURITY_YAMA

security/Kconfig

+5 −0
Original line number Original line Diff line number Diff line
@@ -31,6 +31,11 @@ config SECURITY 




	  If you are unsure how to answer this question, answer N.

	  If you are unsure how to answer this question, answer N.





config SECURITY_WRITABLE_HOOKS

	depends on SECURITY

	bool

	default n



config SECURITYFS

config SECURITYFS

	bool "Enable the securityfs filesystem"

	bool "Enable the securityfs filesystem"

	help

	help

security/selinux/Kconfig

+6 −0
Original line number Original line Diff line number Diff line
@@ -40,6 +40,7 @@ config SECURITY_SELINUX_BOOTPARAM_VALUE 
config SECURITY_SELINUX_DISABLE

config SECURITY_SELINUX_DISABLE

	bool "NSA SELinux runtime disable"

	bool "NSA SELinux runtime disable"

	depends on SECURITY_SELINUX

	depends on SECURITY_SELINUX

	select SECURITY_WRITABLE_HOOKS

	default n

	default n

	help

	help

	  This option enables writing to a selinuxfs node 'disable', which

	  This option enables writing to a selinuxfs node 'disable', which
@@ -50,6 +51,11 @@ config SECURITY_SELINUX_DISABLE 
	  portability across platforms where boot parameters are difficult

	  portability across platforms where boot parameters are difficult

	  to employ.

	  to employ.





	  NOTE: selecting this option will disable the '__ro_after_init'

	  kernel hardening feature for security hooks.   Please consider

	  using the selinux=0 boot parameter instead of enabling this

	  option.



	  If you are unsure how to answer this question, answer N.

	  If you are unsure how to answer this question, answer N.





config SECURITY_SELINUX_DEVELOP

config SECURITY_SELINUX_DEVELOP