security: introduce CONFIG_SECURITY_WRITABLE_HOOKS
Subsequent patches will add RO hardening to LSM hooks, however, SELinux still needs to be able to perform runtime disablement after init to handle architectures where init-time disablement via boot parameters is not feasible. Introduce a new kernel configuration parameter CONFIG_SECURITY_WRITABLE_HOOKS, and a helper macro __lsm_ro_after_init, to handle this case. Signed-off-by: James Morris <james.l.morris@oracle.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Kees Cook <keescook@chromium.org>zero-colors
James Morris
James Morris
parent
84e6885e9e
commit
dd0859dccb
|
|
@ -1920,6 +1920,13 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
|
|||
}
|
||||
#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
|
||||
|
||||
/* Currently required to handle SELinux runtime hook disable. */
|
||||
#ifdef CONFIG_SECURITY_WRITABLE_HOOKS
|
||||
#define __lsm_ro_after_init
|
||||
#else
|
||||
#define __lsm_ro_after_init __ro_after_init
|
||||
#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */
|
||||
|
||||
extern int __init security_module_enable(const char *module);
|
||||
extern void __init capability_add_hooks(void);
|
||||
#ifdef CONFIG_SECURITY_YAMA
|
||||
|
|
|
|||
|
|
@ -31,6 +31,11 @@ config SECURITY
|
|||
|
||||
If you are unsure how to answer this question, answer N.
|
||||
|
||||
config SECURITY_WRITABLE_HOOKS
|
||||
depends on SECURITY
|
||||
bool
|
||||
default n
|
||||
|
||||
config SECURITYFS
|
||||
bool "Enable the securityfs filesystem"
|
||||
help
|
||||
|
|
|
|||
|
|
@ -40,6 +40,7 @@ config SECURITY_SELINUX_BOOTPARAM_VALUE
|
|||
config SECURITY_SELINUX_DISABLE
|
||||
bool "NSA SELinux runtime disable"
|
||||
depends on SECURITY_SELINUX
|
||||
select SECURITY_WRITABLE_HOOKS
|
||||
default n
|
||||
help
|
||||
This option enables writing to a selinuxfs node 'disable', which
|
||||
|
|
@ -50,6 +51,11 @@ config SECURITY_SELINUX_DISABLE
|
|||
portability across platforms where boot parameters are difficult
|
||||
to employ.
|
||||
|
||||
NOTE: selecting this option will disable the '__ro_after_init'
|
||||
kernel hardening feature for security hooks. Please consider
|
||||
using the selinux=0 boot parameter instead of enabling this
|
||||
option.
|
||||
|
||||
If you are unsure how to answer this question, answer N.
|
||||
|
||||
config SECURITY_SELINUX_DEVELOP
|
||||
|
|
|
|||
Loading…
Reference in New Issue