aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2009-11-05 20:03:20 -0500
committerJames Morris <jmorris@namei.org>2009-11-08 16:40:07 -0500
commit6e65f92ff0d6f18580737321718d09035085a3fb (patch)
tree2edfad79128d1b48e0b4ad49abdfbfcf2a1a2a48 /security
parent0e1a6ef2dea88101b056b6d9984f3325c5efced3 (diff)
Config option to set a default LSM
The LSM currently requires setting a kernel parameter at boot to select a specific LSM. This adds a config option that allows specifying a default LSM that is used unless overridden with the security= kernel parameter. If the the config option is not set the current behavior of first LSM to register is used. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/Kconfig32
-rw-r--r--security/security.c9
2 files changed, 38 insertions, 3 deletions
diff --git a/security/Kconfig b/security/Kconfig
index aeea8c2bb59c..95cc08913ca1 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -152,5 +152,37 @@ source security/tomoyo/Kconfig
152 152
153source security/integrity/ima/Kconfig 153source security/integrity/ima/Kconfig
154 154
155choice
156 prompt "Default security module"
157 default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
158 default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
159 default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
160 default DEFAULT_SECURITY_DAC
161
162 help
163 Select the security module that will be used by default if the
164 kernel parameter security= is not specified.
165
166 config DEFAULT_SECURITY_SELINUX
167 bool "SELinux" if SECURITY_SELINUX=y
168
169 config DEFAULT_SECURITY_SMACK
170 bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
171
172 config DEFAULT_SECURITY_TOMOYO
173 bool "TOMOYO" if SECURITY_TOMOYO=y
174
175 config DEFAULT_SECURITY_DAC
176 bool "Unix Discretionary Access Controls"
177
178endchoice
179
180config DEFAULT_SECURITY
181 string
182 default "selinux" if DEFAULT_SECURITY_SELINUX
183 default "smack" if DEFAULT_SECURITY_SMACK
184 default "tomoyo" if DEFAULT_SECURITY_TOMOYO
185 default "" if DEFAULT_SECURITY_DAC
186
155endmenu 187endmenu
156 188
diff --git a/security/security.c b/security/security.c
index 684d5ee655da..aad71b2ca195 100644
--- a/security/security.c
+++ b/security/security.c
@@ -19,7 +19,8 @@
19#include <linux/ima.h> 19#include <linux/ima.h>
20 20
21/* Boot-time LSM user choice */ 21/* Boot-time LSM user choice */
22static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1]; 22static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
23 CONFIG_DEFAULT_SECURITY;
23 24
24/* things that live in capability.c */ 25/* things that live in capability.c */
25extern struct security_operations default_security_ops; 26extern struct security_operations default_security_ops;
@@ -80,8 +81,10 @@ __setup("security=", choose_lsm);
80 * 81 *
81 * Return true if: 82 * Return true if:
82 * -The passed LSM is the one chosen by user at boot time, 83 * -The passed LSM is the one chosen by user at boot time,
83 * -or user didn't specify a specific LSM and we're the first to ask 84 * -or the passed LSM is configured as the default and the user did not
84 * for registration permission, 85 * choose an alternate LSM at boot time,
86 * -or there is no default LSM set and the user didn't specify a
87 * specific LSM and we're the first to ask for registration permission,
85 * -or the passed LSM is currently loaded. 88 * -or the passed LSM is currently loaded.
86 * Otherwise, return false. 89 * Otherwise, return false.
87 */ 90 */