security: introduce CONFIG_SECURITY_WRITABLE_HOOKS

Subsequent patches will add RO hardening to LSM hooks, however, SELinux
still needs to be able to perform runtime disablement after init to handle
architectures where init-time disablement via boot parameters is not feasible.

Introduce a new kernel configuration parameter CONFIG_SECURITY_WRITABLE_HOOKS,
and a helper macro __lsm_ro_after_init, to handle this case.

Signed-off-by: James Morris <james.l.morris@oracle.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Kees Cook <keescook@chromium.org>

1 files changed, 6 insertions, 0 deletions

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index ea7e3efbe0f7..8af7a690eb40 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -40,6 +40,7 @@ config SECURITY_SELINUX_BOOTPARAM_VALUE
 config SECURITY_SELINUX_DISABLE
         bool "NSA SELinux runtime disable"
         depends on SECURITY_SELINUX
+        select SECURITY_WRITABLE_HOOKS
         default n
         help
           This option enables writing to a selinuxfs node 'disable', which
@@ -50,6 +51,11 @@ config SECURITY_SELINUX_DISABLE
           portability across platforms where boot parameters are difficult
           to employ.
 
+          NOTE: selecting this option will disable the '__ro_after_init'
+          kernel hardening feature for security hooks.   Please consider
+          using the selinux=0 boot parameter instead of enabling this
+          option.
+
           If you are unsure how to answer this question, answer N.
 
 config SECURITY_SELINUX_DEVELOP