diff options
| author | Matthew Garrett <matthewgarrett@google.com> | 2019-08-19 20:17:39 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2019-08-20 00:54:15 -0400 |
| commit | 000d388ed3bbed745f366ce71b2bb7c2ee70f449 (patch) | |
| tree | 8df5d266713aa79f5009a515ec5db597a61aba30 /security/Kconfig | |
| parent | 9e47d31d6a57b5babaca36d42b0d11b6db6019b7 (diff) | |
security: Add a static lockdown policy LSM
While existing LSMs can be extended to handle lockdown policy,
distributions generally want to be able to apply a straightforward
static policy. This patch adds a simple LSM that can be configured to
reject either integrity or all lockdown queries, and can be configured
at runtime (through securityfs), boot time (via a kernel parameter) or
build time (via a kconfig option). Based on initial code by David
Howells.
Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/Kconfig')
| -rw-r--r-- | security/Kconfig | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/security/Kconfig b/security/Kconfig index 466cc1f8ffed..7c62d446e209 100644 --- a/security/Kconfig +++ b/security/Kconfig | |||
| @@ -237,6 +237,7 @@ source "security/apparmor/Kconfig" | |||
| 237 | source "security/loadpin/Kconfig" | 237 | source "security/loadpin/Kconfig" |
| 238 | source "security/yama/Kconfig" | 238 | source "security/yama/Kconfig" |
| 239 | source "security/safesetid/Kconfig" | 239 | source "security/safesetid/Kconfig" |
| 240 | source "security/lockdown/Kconfig" | ||
| 240 | 241 | ||
| 241 | source "security/integrity/Kconfig" | 242 | source "security/integrity/Kconfig" |
| 242 | 243 | ||
| @@ -276,11 +277,11 @@ endchoice | |||
| 276 | 277 | ||
| 277 | config LSM | 278 | config LSM |
| 278 | string "Ordered list of enabled LSMs" | 279 | string "Ordered list of enabled LSMs" |
| 279 | default "yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK | 280 | default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK |
| 280 | default "yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR | 281 | default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR |
| 281 | default "yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO | 282 | default "lockdown,yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO |
| 282 | default "yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC | 283 | default "lockdown,yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC |
| 283 | default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" | 284 | default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor" |
| 284 | help | 285 | help |
| 285 | A comma-separated list of LSMs, in initialization order. | 286 | A comma-separated list of LSMs, in initialization order. |
| 286 | Any LSMs left off this list will be ignored. This can be | 287 | Any LSMs left off this list will be ignored. This can be |