Commit dd0859dc authored by James Morris's avatar James Morris Committed by James Morris

security: introduce CONFIG_SECURITY_WRITABLE_HOOKS

Subsequent patches will add RO hardening to LSM hooks, however, SELinux
still needs to be able to perform runtime disablement after init to handle
architectures where init-time disablement via boot parameters is not feasible.

Introduce a new kernel configuration parameter CONFIG_SECURITY_WRITABLE_HOOKS,
and a helper macro __lsm_ro_after_init, to handle this case.
Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
Acked-by: default avatarKees Cook <keescook@chromium.org>
parent 84e6885e
...@@ -1920,6 +1920,13 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, ...@@ -1920,6 +1920,13 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
} }
#endif /* CONFIG_SECURITY_SELINUX_DISABLE */ #endif /* CONFIG_SECURITY_SELINUX_DISABLE */
/* Currently required to handle SELinux runtime hook disable. */
#ifdef CONFIG_SECURITY_WRITABLE_HOOKS
#define __lsm_ro_after_init
#else
#define __lsm_ro_after_init __ro_after_init
#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */
extern int __init security_module_enable(const char *module); extern int __init security_module_enable(const char *module);
extern void __init capability_add_hooks(void); extern void __init capability_add_hooks(void);
#ifdef CONFIG_SECURITY_YAMA #ifdef CONFIG_SECURITY_YAMA
......
...@@ -31,6 +31,11 @@ config SECURITY ...@@ -31,6 +31,11 @@ config SECURITY
If you are unsure how to answer this question, answer N. If you are unsure how to answer this question, answer N.
config SECURITY_WRITABLE_HOOKS
depends on SECURITY
bool
default n
config SECURITYFS config SECURITYFS
bool "Enable the securityfs filesystem" bool "Enable the securityfs filesystem"
help help
......
...@@ -40,6 +40,7 @@ config SECURITY_SELINUX_BOOTPARAM_VALUE ...@@ -40,6 +40,7 @@ config SECURITY_SELINUX_BOOTPARAM_VALUE
config SECURITY_SELINUX_DISABLE config SECURITY_SELINUX_DISABLE
bool "NSA SELinux runtime disable" bool "NSA SELinux runtime disable"
depends on SECURITY_SELINUX depends on SECURITY_SELINUX
select SECURITY_WRITABLE_HOOKS
default n default n
help help
This option enables writing to a selinuxfs node 'disable', which This option enables writing to a selinuxfs node 'disable', which
...@@ -50,6 +51,11 @@ config SECURITY_SELINUX_DISABLE ...@@ -50,6 +51,11 @@ config SECURITY_SELINUX_DISABLE
portability across platforms where boot parameters are difficult portability across platforms where boot parameters are difficult
to employ. to employ.
NOTE: selecting this option will disable the '__ro_after_init'
kernel hardening feature for security hooks. Please consider
using the selinux=0 boot parameter instead of enabling this
option.
If you are unsure how to answer this question, answer N. If you are unsure how to answer this question, answer N.
config SECURITY_SELINUX_DEVELOP config SECURITY_SELINUX_DEVELOP
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment