Config option to set a default LSM
The LSM currently requires setting a kernel parameter at boot to select a specific LSM. This adds a config option that allows specifying a default LSM that is used unless overridden with the security= kernel parameter. If the the config option is not set the current behavior of first LSM to register is used. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
0e1a6ef2de
commit
6e65f92ff0
|
@ -152,5 +152,37 @@ source security/tomoyo/Kconfig
|
|||
|
||||
source security/integrity/ima/Kconfig
|
||||
|
||||
choice
|
||||
prompt "Default security module"
|
||||
default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
|
||||
default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
|
||||
default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
|
||||
default DEFAULT_SECURITY_DAC
|
||||
|
||||
help
|
||||
Select the security module that will be used by default if the
|
||||
kernel parameter security= is not specified.
|
||||
|
||||
config DEFAULT_SECURITY_SELINUX
|
||||
bool "SELinux" if SECURITY_SELINUX=y
|
||||
|
||||
config DEFAULT_SECURITY_SMACK
|
||||
bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
|
||||
|
||||
config DEFAULT_SECURITY_TOMOYO
|
||||
bool "TOMOYO" if SECURITY_TOMOYO=y
|
||||
|
||||
config DEFAULT_SECURITY_DAC
|
||||
bool "Unix Discretionary Access Controls"
|
||||
|
||||
endchoice
|
||||
|
||||
config DEFAULT_SECURITY
|
||||
string
|
||||
default "selinux" if DEFAULT_SECURITY_SELINUX
|
||||
default "smack" if DEFAULT_SECURITY_SMACK
|
||||
default "tomoyo" if DEFAULT_SECURITY_TOMOYO
|
||||
default "" if DEFAULT_SECURITY_DAC
|
||||
|
||||
endmenu
|
||||
|
||||
|
|
|
@ -19,7 +19,8 @@
|
|||
#include <linux/ima.h>
|
||||
|
||||
/* Boot-time LSM user choice */
|
||||
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
|
||||
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
|
||||
CONFIG_DEFAULT_SECURITY;
|
||||
|
||||
/* things that live in capability.c */
|
||||
extern struct security_operations default_security_ops;
|
||||
|
@ -80,8 +81,10 @@ __setup("security=", choose_lsm);
|
|||
*
|
||||
* Return true if:
|
||||
* -The passed LSM is the one chosen by user at boot time,
|
||||
* -or user didn't specify a specific LSM and we're the first to ask
|
||||
* for registration permission,
|
||||
* -or the passed LSM is configured as the default and the user did not
|
||||
* choose an alternate LSM at boot time,
|
||||
* -or there is no default LSM set and the user didn't specify a
|
||||
* specific LSM and we're the first to ask for registration permission,
|
||||
* -or the passed LSM is currently loaded.
|
||||
* Otherwise, return false.
|
||||
*/
|
||||
|
|
Loading…
Reference in New Issue