@@ -40,7 +40,7 @@ config SECURITY_STACKING
"bail on fail" policy, in which the infrastructure
will stop processing once a denial is detected. Not
all modules can be stacked. SELinux and Smack are
- known to be incompatable. User space components may
+ known to be incompatible. User space components may
have trouble identifying the security module providing
data in some cases.
@@ -53,7 +53,7 @@ config SECURITY_STACKING
If you are unsure how to answer this question, answer N.
-config SECURITY_STACKING_DEBUG
+config SECURITY_LSM_DEBUG
bool "Enable debugging of the LSM infrastructure"
depends on SECURITY
help
@@ -158,6 +158,9 @@ source security/yama/Kconfig
source security/integrity/Kconfig
+menu "Security Module Selection"
+ visible if !SECURITY_STACKING
+
choice
prompt "Default security module"
default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
@@ -197,3 +200,72 @@ config DEFAULT_SECURITY
endmenu
+menu "Security Module Stack"
+ visible if SECURITY_STACKING
+
+choice
+ prompt "Stacked 'extreme' security module"
+ default SECURITY_SELINUX_STACKED if SECURITY_SELINUX
+ default SECURITY_SMACK_STACKED if SECURITY_SMACK
+
+ help
+ Enable an extreme security module. These modules cannot
+ be used at the same time.
+
+ config SECURITY_SELINUX_STACKED
+ bool "SELinux" if SECURITY_SELINUX=y
+ help
+ Add the SELinux security module to the stack. At this
+ time the Smack security module is incompatible with this
+ module.
+ Please be sure your user space code is accomodating of
+ this security module.
+
+ config SECURITY_SMACK_STACKED
+ bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
+ help
+ Add the Smack security module to the stack. At this
+ time the SELinux security module is incompatible with this
+ module.
+ Please be sure your user space code is accomodating of
+ this security module.
+
+ config SECURITY_NOTHING_STACKED
+ bool "Use no 'extreme' security module"
+ help
+ Add neither the SELinux security module nor the Smack security
+ module to the stack.
+ Please be sure your user space code does not require either of
+ these security modules.
+
+endchoice
+
+config SECURITY_TOMOYO_STACKED
+ bool "TOMOYO support is enabled by default"
+ depends on SECURITY_TOMOYO && SECURITY_STACKING
+ default n
+ help
+ This option instructs the system to use the TOMOYO checks.
+ If not selected the module will not be invoked.
+ Stacked security modules may interact in unexpected ways.
+ Please be sure your user space code is accomodating of
+ multiple security modules.
+
+ If you are unsure how to answer this question, answer N.
+
+config SECURITY_APPARMOR_STACKED
+ bool "AppArmor support is enabled by default"
+ depends on SECURITY_APPARMOR && SECURITY_STACKING
+ default n
+ help
+ This option instructs the system to use the AppArmor checks.
+ If not selected the module will not be invoked.
+ Stacked security modules may interact in unexpected ways.
+ Please be sure your user space code is accomodating of
+ multiple security modules.
+
+ If you are unsure how to answer this question, answer N.
+
+endmenu
+
+endmenu
@@ -14,19 +14,6 @@ config SECURITY_APPARMOR
If you are unsure how to answer this question, answer N.
-config SECURITY_APPARMOR_STACKED
- bool "AppArmor support is enabled by default"
- depends on SECURITY_APPARMOR && SECURITY_STACKING
- default n
- help
- This option instructs the system to use the AppArmor checks.
- If not selected the module will not be invoked.
- Stacked security modules may interact in unexpected ways.
- Please be sure your user space code is accomodating of
- multiple security modules.
-
- If you are unsure how to answer this question, answer N.
-
config SECURITY_APPARMOR_BOOTPARAM_VALUE
int "AppArmor boot parameter default value"
depends on SECURITY_APPARMOR
@@ -85,7 +85,7 @@ int __init security_init(void)
*/
do_security_initcalls();
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred);
pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file);
pr_info("LSM: inode blob size = %d\n", blob_sizes.lbs_inode);
@@ -96,7 +96,7 @@ int __init security_init(void)
pr_info("LSM: msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg);
pr_info("LSM: sock blob size = %d\n", blob_sizes.lbs_sock);
pr_info("LSM: superblock blob size = %d\n", blob_sizes.lbs_superblock);
-#endif /* CONFIG_SECURITY_STACKING_DEBUG */
+#endif /* CONFIG_SECURITY_LSM_DEBUG */
return 0;
}
@@ -195,7 +195,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
*/
int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
{
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
if (cred->security)
pr_info("%s: Inbound cred blob is not NULL.\n", __func__);
#endif
@@ -251,7 +251,7 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed)
*/
int lsm_file_alloc(struct file *file)
{
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
if (file->f_security)
pr_info("%s: Inbound file blob is not NULL.\n", __func__);
#endif
@@ -274,7 +274,7 @@ int lsm_file_alloc(struct file *file)
*/
int lsm_inode_alloc(struct inode *inode)
{
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
if (inode->i_security)
pr_info("%s: Inbound inode blob is not NULL.\n", __func__);
#endif
@@ -297,7 +297,7 @@ int lsm_inode_alloc(struct inode *inode)
*/
int lsm_ipc_alloc(struct kern_ipc_perm *kip)
{
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
if (kip->security)
pr_info("%s: Inbound ipc blob is not NULL.\n", __func__);
#endif
@@ -321,7 +321,7 @@ int lsm_ipc_alloc(struct kern_ipc_perm *kip)
*/
int lsm_key_alloc(struct key *key)
{
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
if (key->security)
pr_info("%s: Inbound key blob is not NULL.\n", __func__);
#endif
@@ -345,7 +345,7 @@ int lsm_key_alloc(struct key *key)
*/
int lsm_msg_msg_alloc(struct msg_msg *mp)
{
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
if (mp->security)
pr_info("%s: Inbound msg_msg blob is not NULL.\n", __func__);
#endif
@@ -369,7 +369,7 @@ int lsm_msg_msg_alloc(struct msg_msg *mp)
*/
int lsm_sock_alloc(struct sock *sock, gfp_t priority)
{
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
if (sock->sk_security)
pr_info("%s: Inbound sock blob is not NULL.\n", __func__);
#endif
@@ -392,7 +392,7 @@ int lsm_sock_alloc(struct sock *sock, gfp_t priority)
*/
int lsm_superblock_alloc(struct super_block *sb)
{
-#ifdef CONFIG_SECURITY_STACKING_DEBUG
+#ifdef CONFIG_SECURITY_LSM_DEBUG
if (sb->s_security)
pr_info("%s: Inbound superblock blob is not NULL.\n", __func__);
#endif
@@ -8,19 +8,6 @@ config SECURITY_SELINUX
You will also need a policy configuration and a labeled filesystem.
If you are unsure how to answer this question, answer N.
-config SECURITY_SELINUX_STACKED
- bool "NSA SELinux Support is enabled by default"
- depends on SECURITY_SELINUX && SECURITY_STACKING
- default n
- help
- This option instructs the system to use the SELinux checks.
- If not selected the module will not be invoked.
- Stacked security modules may interact in unexpected ways.
- Please be sure your user space code is accomodating of
- multiple security modules.
-
- If you are unsure how to answer this question, answer N.
-
config SECURITY_SELINUX_BOOTPARAM
bool "NSA SELinux boot parameter"
depends on SECURITY_SELINUX
@@ -12,19 +12,6 @@ config SECURITY_SMACK
of other mandatory security schemes.
If you are unsure how to answer this question, answer N.
-config SECURITY_SMACK_STACKED
- bool "Smack support is enabled by default"
- depends on SECURITY_SMACK && SECURITY_STACKING
- default n
- help
- This option instructs the system to use the Smack checks.
- If not selected the module will not be invoked.
- Stacked security modules may interact in unexpected ways.
- Please be sure your user space code is accomodating of
- multiple security modules.
-
- If you are unsure how to answer this question, answer N.
-
config SECURITY_SMACK_BRINGUP
bool "Reporting on access granted by Smack rules"
depends on SECURITY_SMACK
@@ -14,19 +14,6 @@ config SECURITY_TOMOYO
found at <http://tomoyo.sourceforge.jp/>.
If you are unsure how to answer this question, answer N.
-config SECURITY_TOMOYO_STACKED
- bool "TOMOYO support is enabled by default"
- depends on SECURITY_TOMOYO && SECURITY_STACKING
- default n
- help
- This option instructs the system to use the TOMOYO checks.
- If not selected the module will not be invoked.
- Stacked security modules may interact in unexpected ways.
- Please be sure your user space code is accomodating of
- multiple security modules.
-
- If you are unsure how to answer this question, answer N.
-
config SECURITY_TOMOYO_MAX_ACCEPT_ENTRY
int "Default maximal count for learning mode"
default 2048
Subject: [PATCH 25/25] LSM: Prevent stacking of incompatible modules The previous model for selecting security modules to stack allows for selecting SELinux and Smack together. There are several reasons that these two modules can't share the stack. Until those issues are resolved stacking them together must be prevented. When stacking is selected the modules to add to the stack are selected. There is a special menu from selecting between SELinux, Smack or neither. When stacking is not selected there is a menu to select the default module which looks a little different than before, but which works the same. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- security/Kconfig | 76 +++++++++++++++++++++++++++++++++++++++++++++-- security/apparmor/Kconfig | 13 -------- security/security.c | 20 ++++++------- security/selinux/Kconfig | 13 -------- security/smack/Kconfig | 13 -------- security/tomoyo/Kconfig | 13 -------- 6 files changed, 84 insertions(+), 64 deletions(-)