Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dd0859dc authored by James Morris's avatar James Morris Committed by James Morris
Browse files

security: introduce CONFIG_SECURITY_WRITABLE_HOOKS 



Subsequent patches will add RO hardening to LSM hooks, however, SELinux
still needs to be able to perform runtime disablement after init to handle
architectures where init-time disablement via boot parameters is not feasible.

Introduce a new kernel configuration parameter CONFIG_SECURITY_WRITABLE_HOOKS,
and a helper macro __lsm_ro_after_init, to handle this case.

Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
Acked-by: default avatarKees Cook <keescook@chromium.org>
parent 84e6885e

include/linux/lsm_hooks.h

+7 −0
Original line number Diff line number Diff line
@@ -1920,6 +1920,13 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, 
}

#endif /* CONFIG_SECURITY_SELINUX_DISABLE */



/* Currently required to handle SELinux runtime hook disable. */

#ifdef CONFIG_SECURITY_WRITABLE_HOOKS

#define __lsm_ro_after_init

#else

#define __lsm_ro_after_init	__ro_after_init

#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */



extern int __init security_module_enable(const char *module);

extern void __init capability_add_hooks(void);

#ifdef CONFIG_SECURITY_YAMA

security/Kconfig

+5 −0
Original line number Diff line number Diff line
@@ -31,6 +31,11 @@ config SECURITY 


	  If you are unsure how to answer this question, answer N.



config SECURITY_WRITABLE_HOOKS

	depends on SECURITY

	bool

	default n



config SECURITYFS

	bool "Enable the securityfs filesystem"

	help

security/selinux/Kconfig

+6 −0
Original line number Diff line number Diff line
@@ -40,6 +40,7 @@ config SECURITY_SELINUX_BOOTPARAM_VALUE 
config SECURITY_SELINUX_DISABLE

	bool "NSA SELinux runtime disable"

	depends on SECURITY_SELINUX

	select SECURITY_WRITABLE_HOOKS

	default n

	help

	  This option enables writing to a selinuxfs node 'disable', which
@@ -50,6 +51,11 @@ config SECURITY_SELINUX_DISABLE 
	  portability across platforms where boot parameters are difficult

	  to employ.



	  NOTE: selecting this option will disable the '__ro_after_init'

	  kernel hardening feature for security hooks.   Please consider

	  using the selinux=0 boot parameter instead of enabling this

	  option.



	  If you are unsure how to answer this question, answer N.



config SECURITY_SELINUX_DEVELOP