mirror of
https://github.com/adulau/aha.git
synced 2024-12-27 11:16:11 +00:00
Config option to set a default LSM
The LSM currently requires setting a kernel parameter at boot to select a specific LSM. This adds a config option that allows specifying a default LSM that is used unless overridden with the security= kernel parameter. If the the config option is not set the current behavior of first LSM to register is used. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
0e1a6ef2de
commit
6e65f92ff0
2 changed files with 38 additions and 3 deletions
|
@ -152,5 +152,37 @@ source security/tomoyo/Kconfig
|
||||||
|
|
||||||
source security/integrity/ima/Kconfig
|
source security/integrity/ima/Kconfig
|
||||||
|
|
||||||
|
choice
|
||||||
|
prompt "Default security module"
|
||||||
|
default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
|
||||||
|
default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
|
||||||
|
default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
|
||||||
|
default DEFAULT_SECURITY_DAC
|
||||||
|
|
||||||
|
help
|
||||||
|
Select the security module that will be used by default if the
|
||||||
|
kernel parameter security= is not specified.
|
||||||
|
|
||||||
|
config DEFAULT_SECURITY_SELINUX
|
||||||
|
bool "SELinux" if SECURITY_SELINUX=y
|
||||||
|
|
||||||
|
config DEFAULT_SECURITY_SMACK
|
||||||
|
bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
|
||||||
|
|
||||||
|
config DEFAULT_SECURITY_TOMOYO
|
||||||
|
bool "TOMOYO" if SECURITY_TOMOYO=y
|
||||||
|
|
||||||
|
config DEFAULT_SECURITY_DAC
|
||||||
|
bool "Unix Discretionary Access Controls"
|
||||||
|
|
||||||
|
endchoice
|
||||||
|
|
||||||
|
config DEFAULT_SECURITY
|
||||||
|
string
|
||||||
|
default "selinux" if DEFAULT_SECURITY_SELINUX
|
||||||
|
default "smack" if DEFAULT_SECURITY_SMACK
|
||||||
|
default "tomoyo" if DEFAULT_SECURITY_TOMOYO
|
||||||
|
default "" if DEFAULT_SECURITY_DAC
|
||||||
|
|
||||||
endmenu
|
endmenu
|
||||||
|
|
||||||
|
|
|
@ -19,7 +19,8 @@
|
||||||
#include <linux/ima.h>
|
#include <linux/ima.h>
|
||||||
|
|
||||||
/* Boot-time LSM user choice */
|
/* Boot-time LSM user choice */
|
||||||
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
|
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
|
||||||
|
CONFIG_DEFAULT_SECURITY;
|
||||||
|
|
||||||
/* things that live in capability.c */
|
/* things that live in capability.c */
|
||||||
extern struct security_operations default_security_ops;
|
extern struct security_operations default_security_ops;
|
||||||
|
@ -80,8 +81,10 @@ __setup("security=", choose_lsm);
|
||||||
*
|
*
|
||||||
* Return true if:
|
* Return true if:
|
||||||
* -The passed LSM is the one chosen by user at boot time,
|
* -The passed LSM is the one chosen by user at boot time,
|
||||||
* -or user didn't specify a specific LSM and we're the first to ask
|
* -or the passed LSM is configured as the default and the user did not
|
||||||
* for registration permission,
|
* choose an alternate LSM at boot time,
|
||||||
|
* -or there is no default LSM set and the user didn't specify a
|
||||||
|
* specific LSM and we're the first to ask for registration permission,
|
||||||
* -or the passed LSM is currently loaded.
|
* -or the passed LSM is currently loaded.
|
||||||
* Otherwise, return false.
|
* Otherwise, return false.
|
||||||
*/
|
*/
|
||||||
|
|
Loading…
Reference in a new issue