diff options
| author | Kees Cook <keescook@chromium.org> | 2015-07-23 21:02:48 -0400 |
|---|---|---|
| committer | James Morris <james.l.morris@oracle.com> | 2015-07-27 23:18:19 -0400 |
| commit | 730daa164e7c7e31c08fab940549f4acc3329432 (patch) | |
| tree | 8c125b404c785f8de46a04d4f43fccef6744f0a8 /security | |
| parent | fe6c59dc17908effd4e2caa666795b9ad984005b (diff) | |
Yama: remove needless CONFIG_SECURITY_YAMA_STACKED
Now that minor LSMs can cleanly stack with major LSMs, remove the unneeded
config for Yama to be made to explicitly stack. Just selecting the main
Yama CONFIG will allow it to work, regardless of the major LSM. Since
distros using Yama are already forcing it to stack, this is effectively
a no-op change.
Additionally add MAINTAINERS entry.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/Kconfig | 5 | ||||
| -rw-r--r-- | security/security.c | 11 | ||||
| -rw-r--r-- | security/yama/Kconfig | 9 | ||||
| -rw-r--r-- | security/yama/yama_lsm.c | 32 |
4 files changed, 14 insertions, 43 deletions
diff --git a/security/Kconfig b/security/Kconfig index bf4ec46474b6..e45237897b43 100644 --- a/security/Kconfig +++ b/security/Kconfig | |||
| @@ -132,7 +132,6 @@ choice | |||
| 132 | default DEFAULT_SECURITY_SMACK if SECURITY_SMACK | 132 | default DEFAULT_SECURITY_SMACK if SECURITY_SMACK |
| 133 | default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO | 133 | default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO |
| 134 | default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR | 134 | default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR |
| 135 | default DEFAULT_SECURITY_YAMA if SECURITY_YAMA | ||
| 136 | default DEFAULT_SECURITY_DAC | 135 | default DEFAULT_SECURITY_DAC |
| 137 | 136 | ||
| 138 | help | 137 | help |
| @@ -151,9 +150,6 @@ choice | |||
| 151 | config DEFAULT_SECURITY_APPARMOR | 150 | config DEFAULT_SECURITY_APPARMOR |
| 152 | bool "AppArmor" if SECURITY_APPARMOR=y | 151 | bool "AppArmor" if SECURITY_APPARMOR=y |
| 153 | 152 | ||
| 154 | config DEFAULT_SECURITY_YAMA | ||
| 155 | bool "Yama" if SECURITY_YAMA=y | ||
| 156 | |||
| 157 | config DEFAULT_SECURITY_DAC | 153 | config DEFAULT_SECURITY_DAC |
| 158 | bool "Unix Discretionary Access Controls" | 154 | bool "Unix Discretionary Access Controls" |
| 159 | 155 | ||
| @@ -165,7 +161,6 @@ config DEFAULT_SECURITY | |||
| 165 | default "smack" if DEFAULT_SECURITY_SMACK | 161 | default "smack" if DEFAULT_SECURITY_SMACK |
| 166 | default "tomoyo" if DEFAULT_SECURITY_TOMOYO | 162 | default "tomoyo" if DEFAULT_SECURITY_TOMOYO |
| 167 | default "apparmor" if DEFAULT_SECURITY_APPARMOR | 163 | default "apparmor" if DEFAULT_SECURITY_APPARMOR |
| 168 | default "yama" if DEFAULT_SECURITY_YAMA | ||
| 169 | default "" if DEFAULT_SECURITY_DAC | 164 | default "" if DEFAULT_SECURITY_DAC |
| 170 | 165 | ||
| 171 | endmenu | 166 | endmenu |
diff --git a/security/security.c b/security/security.c index 595fffab48b0..e693ffcf9266 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -56,18 +56,13 @@ int __init security_init(void) | |||
| 56 | pr_info("Security Framework initialized\n"); | 56 | pr_info("Security Framework initialized\n"); |
| 57 | 57 | ||
| 58 | /* | 58 | /* |
| 59 | * Always load the capability module. | 59 | * Load minor LSMs, with the capability module always first. |
| 60 | */ | 60 | */ |
| 61 | capability_add_hooks(); | 61 | capability_add_hooks(); |
| 62 | #ifdef CONFIG_SECURITY_YAMA_STACKED | ||
| 63 | /* | ||
| 64 | * If Yama is configured for stacking load it next. | ||
| 65 | */ | ||
| 66 | yama_add_hooks(); | 62 | yama_add_hooks(); |
| 67 | #endif | 63 | |
| 68 | /* | 64 | /* |
| 69 | * Load the chosen module if there is one. | 65 | * Load all the remaining security modules. |
| 70 | * This will also find yama if it is stacking | ||
| 71 | */ | 66 | */ |
| 72 | do_security_initcalls(); | 67 | do_security_initcalls(); |
| 73 | 68 | ||
diff --git a/security/yama/Kconfig b/security/yama/Kconfig index 3123e1da2fed..90c605eea892 100644 --- a/security/yama/Kconfig +++ b/security/yama/Kconfig | |||
| @@ -6,14 +6,7 @@ config SECURITY_YAMA | |||
| 6 | This selects Yama, which extends DAC support with additional | 6 | This selects Yama, which extends DAC support with additional |
| 7 | system-wide security settings beyond regular Linux discretionary | 7 | system-wide security settings beyond regular Linux discretionary |
| 8 | access controls. Currently available is ptrace scope restriction. | 8 | access controls. Currently available is ptrace scope restriction. |
| 9 | Like capabilities, this security module stacks with other LSMs. | ||
| 9 | Further information can be found in Documentation/security/Yama.txt. | 10 | Further information can be found in Documentation/security/Yama.txt. |
| 10 | 11 | ||
| 11 | If you are unsure how to answer this question, answer N. | 12 | If you are unsure how to answer this question, answer N. |
| 12 | |||
| 13 | config SECURITY_YAMA_STACKED | ||
| 14 | bool "Yama stacked with other LSMs" | ||
| 15 | depends on SECURITY_YAMA | ||
| 16 | default n | ||
| 17 | help | ||
| 18 | When Yama is built into the kernel, force it to stack with the | ||
| 19 | selected primary LSM. | ||
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index 9ed32502470e..d3c19c970a06 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c | |||
| @@ -353,11 +353,6 @@ static struct security_hook_list yama_hooks[] = { | |||
| 353 | LSM_HOOK_INIT(task_free, yama_task_free), | 353 | LSM_HOOK_INIT(task_free, yama_task_free), |
| 354 | }; | 354 | }; |
| 355 | 355 | ||
| 356 | void __init yama_add_hooks(void) | ||
| 357 | { | ||
| 358 | security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks)); | ||
| 359 | } | ||
| 360 | |||
| 361 | #ifdef CONFIG_SYSCTL | 356 | #ifdef CONFIG_SYSCTL |
| 362 | static int yama_dointvec_minmax(struct ctl_table *table, int write, | 357 | static int yama_dointvec_minmax(struct ctl_table *table, int write, |
| 363 | void __user *buffer, size_t *lenp, loff_t *ppos) | 358 | void __user *buffer, size_t *lenp, loff_t *ppos) |
| @@ -396,25 +391,18 @@ static struct ctl_table yama_sysctl_table[] = { | |||
| 396 | }, | 391 | }, |
| 397 | { } | 392 | { } |
| 398 | }; | 393 | }; |
| 399 | #endif /* CONFIG_SYSCTL */ | 394 | static void __init yama_init_sysctl(void) |
| 400 | |||
| 401 | static __init int yama_init(void) | ||
| 402 | { | 395 | { |
| 403 | #ifndef CONFIG_SECURITY_YAMA_STACKED | ||
| 404 | /* | ||
| 405 | * If yama is being stacked this is already taken care of. | ||
| 406 | */ | ||
| 407 | if (!security_module_enable("yama")) | ||
| 408 | return 0; | ||
| 409 | #endif | ||
| 410 | pr_info("Yama: becoming mindful.\n"); | ||
| 411 | |||
| 412 | #ifdef CONFIG_SYSCTL | ||
| 413 | if (!register_sysctl_paths(yama_sysctl_path, yama_sysctl_table)) | 396 | if (!register_sysctl_paths(yama_sysctl_path, yama_sysctl_table)) |
| 414 | panic("Yama: sysctl registration failed.\n"); | 397 | panic("Yama: sysctl registration failed.\n"); |
| 415 | #endif | ||
| 416 | |||
| 417 | return 0; | ||
| 418 | } | 398 | } |
| 399 | #else | ||
| 400 | static inline void yama_init_sysctl(void) { } | ||
| 401 | #endif /* CONFIG_SYSCTL */ | ||
| 419 | 402 | ||
| 420 | security_initcall(yama_init); | 403 | void __init yama_add_hooks(void) |
| 404 | { | ||
| 405 | pr_info("Yama: becoming mindful.\n"); | ||
| 406 | security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks)); | ||
| 407 | yama_init_sysctl(); | ||
| 408 | } | ||