Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6e65f92f authored by John Johansen's avatar John Johansen Committed by James Morris
Browse files

Config option to set a default LSM 



The LSM currently requires setting a kernel parameter at boot to select
a specific LSM.  This adds a config option that allows specifying a default
LSM that is used unless overridden with the security= kernel parameter.
If the the config option is not set the current behavior of first LSM
to register is used.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 0e1a6ef2

security/Kconfig

+32 −0
Original line number Diff line number Diff line
@@ -152,5 +152,37 @@ source security/tomoyo/Kconfig 


source security/integrity/ima/Kconfig



choice

	prompt "Default security module"

	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX

	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK

	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO

	default DEFAULT_SECURITY_DAC



	help

	  Select the security module that will be used by default if the

	  kernel parameter security= is not specified.



	config DEFAULT_SECURITY_SELINUX

		bool "SELinux" if SECURITY_SELINUX=y



	config DEFAULT_SECURITY_SMACK

		bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y



	config DEFAULT_SECURITY_TOMOYO

		bool "TOMOYO" if SECURITY_TOMOYO=y



	config DEFAULT_SECURITY_DAC

		bool "Unix Discretionary Access Controls"



endchoice



config DEFAULT_SECURITY

	string

	default "selinux" if DEFAULT_SECURITY_SELINUX

	default "smack" if DEFAULT_SECURITY_SMACK

	default "tomoyo" if DEFAULT_SECURITY_TOMOYO

	default "" if DEFAULT_SECURITY_DAC



endmenu

security/security.c

+6 −3
Original line number Diff line number Diff line
@@ -19,7 +19,8 @@ 
#include <linux/ima.h>



/* Boot-time LSM user choice */

static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];

static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =

	CONFIG_DEFAULT_SECURITY;



/* things that live in capability.c */

extern struct security_operations default_security_ops;
@@ -80,8 +81,10 @@ __setup("security=", choose_lsm); 
 *

 * Return true if:

 *	-The passed LSM is the one chosen by user at boot time,

 *	-or user didn't specify a specific LSM and we're the first to ask

 *	 for registration permission,

 *	-or the passed LSM is configured as the default and the user did not

 *	 choose an alternate LSM at boot time,

 *	-or there is no default LSM set and the user didn't specify a

 *	 specific LSM and we're the first to ask for registration permission,

 *	-or the passed LSM is currently loaded.

 * Otherwise, return false.

 */