diff options
| author | Kees Cook <keescook@chromium.org> | 2018-10-01 20:08:57 -0400 |
|---|---|---|
| committer | Kees Cook <keescook@chromium.org> | 2019-01-08 16:18:43 -0500 |
| commit | be6ec88f41ba94746f830ba38cc4d08dd5ddbb08 (patch) | |
| tree | 4f660979afb89835d9dee6f80444e491ede591bc /security/selinux | |
| parent | 0102fb83f90050b86ce37aec810ea17bb4448e0c (diff) | |
selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE
In preparation for removing CONFIG_DEFAULT_SECURITY, this removes the
soon-to-be redundant SECURITY_SELINUX_BOOTPARAM_VALUE. Since explicit
ordering via CONFIG_LSM or "lsm=" will define whether an LSM is enabled or
not, this CONFIG will become effectively ignored, so remove it. However,
in order to stay backward-compatible with "security=selinux", the enable
variable defaults to true.
Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/Kconfig | 15 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 5 |
2 files changed, 1 insertions, 19 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 8af7a690eb40..55f032f1fc2d 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig | |||
| @@ -22,21 +22,6 @@ config SECURITY_SELINUX_BOOTPARAM | |||
| 22 | 22 | ||
| 23 | If you are unsure how to answer this question, answer N. | 23 | If you are unsure how to answer this question, answer N. |
| 24 | 24 | ||
| 25 | config SECURITY_SELINUX_BOOTPARAM_VALUE | ||
| 26 | int "NSA SELinux boot parameter default value" | ||
| 27 | depends on SECURITY_SELINUX_BOOTPARAM | ||
| 28 | range 0 1 | ||
| 29 | default 1 | ||
| 30 | help | ||
| 31 | This option sets the default value for the kernel parameter | ||
| 32 | 'selinux', which allows SELinux to be disabled at boot. If this | ||
| 33 | option is set to 0 (zero), the SELinux kernel parameter will | ||
| 34 | default to 0, disabling SELinux at bootup. If this option is | ||
| 35 | set to 1 (one), the SELinux kernel parameter will default to 1, | ||
| 36 | enabling SELinux at bootup. | ||
| 37 | |||
| 38 | If you are unsure how to answer this question, answer 1. | ||
| 39 | |||
| 40 | config SECURITY_SELINUX_DISABLE | 25 | config SECURITY_SELINUX_DISABLE |
| 41 | bool "NSA SELinux runtime disable" | 26 | bool "NSA SELinux runtime disable" |
| 42 | depends on SECURITY_SELINUX | 27 | depends on SECURITY_SELINUX |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 49865f119b16..c5d9fbbb5e5b 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -121,9 +121,8 @@ __setup("enforcing=", enforcing_setup); | |||
| 121 | #define selinux_enforcing_boot 1 | 121 | #define selinux_enforcing_boot 1 |
| 122 | #endif | 122 | #endif |
| 123 | 123 | ||
| 124 | int selinux_enabled __lsm_ro_after_init = 1; | ||
| 124 | #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM | 125 | #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM |
| 125 | int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE; | ||
| 126 | |||
| 127 | static int __init selinux_enabled_setup(char *str) | 126 | static int __init selinux_enabled_setup(char *str) |
| 128 | { | 127 | { |
| 129 | unsigned long enabled; | 128 | unsigned long enabled; |
| @@ -132,8 +131,6 @@ static int __init selinux_enabled_setup(char *str) | |||
| 132 | return 1; | 131 | return 1; |
| 133 | } | 132 | } |
| 134 | __setup("selinux=", selinux_enabled_setup); | 133 | __setup("selinux=", selinux_enabled_setup); |
| 135 | #else | ||
| 136 | int selinux_enabled = 1; | ||
| 137 | #endif | 134 | #endif |
| 138 | 135 | ||
| 139 | static unsigned int selinux_checkreqprot_boot = | 136 | static unsigned int selinux_checkreqprot_boot = |