Skip to content

Commit

Permalink
13 update (#14)
Browse files Browse the repository at this point in the history
* Updated README to refer to 5.10.17

* Resync security/Kconfig + security/Makefile for 5.10.17

* Updated to link to the 'porting' bug-report

* Resync config.
  • Loading branch information
skx authored Feb 18, 2021
1 parent 31058b8 commit 73ab4dc
Show file tree
Hide file tree
Showing 4 changed files with 39 additions and 34 deletions.
5 changes: 4 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,11 @@

This repository contains a small collection of linux security modules, which were written as a part of a learning/experimentation process.

The code present has been compiled and tested against the most recent long-term kernel, at the time of writing that is __5.4.22__.
The code present has been compiled and tested against the most recent long-term kernel, at the time of writing that is __5.10.17__.

If you want to port this code to a newer kernel, in the future, then the following bug-report is a good overview of how I approach things:

* https://github.com/skx/linux-security-modules/issues/13



Expand Down
40 changes: 20 additions & 20 deletions security/Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ config INTEL_TXT
it was configured with, especially since they may be responsible for
providing such assurances to VMs and services running on it.

See <http://www.intel.com/technology/security/> for more information
See <https://www.intel.com/technology/security/> for more information
about Intel(R) TXT.
See <http://tboot.sourceforge.net> for more information about tboot.
See Documentation/x86/intel_txt.rst for a description of how to enable
Expand Down Expand Up @@ -238,7 +238,6 @@ source "security/loadpin/Kconfig"
source "security/yama/Kconfig"
source "security/safesetid/Kconfig"
source "security/lockdown/Kconfig"

source "security/can-exec/Kconfig"
source "security/hashcheck/Kconfig"
source "security/whitelist/Kconfig"
Expand All @@ -251,9 +250,9 @@ choice
default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
default DEFAULT_SECURITY_CAN_EXEC if SECURITY_CAN_EXEC
default DEFAULT_SECURITY_HASH_CHECK if SECURITY_HASH_CHECK
default DEFAULT_SECURITY_WHITELIST if SECURITY_WHITELIST
default DEFAULT_SECURITY_CAN_EXEC if SECURITY_CAN_EXEC
default DEFAULT_SECURITY_HASH_CHECK if SECURITY_HASH_CHECK
default DEFAULT_SECURITY_WHITELIST if SECURITY_WHITELIST
default DEFAULT_SECURITY_DAC

help
Expand All @@ -277,30 +276,31 @@ choice
config DEFAULT_SECURITY_APPARMOR
bool "AppArmor" if SECURITY_APPARMOR=y

config DEFAULT_SECURITY_CAN_EXEC
bool "can-exec" if SECURITY_CAN_EXEC=y

config DEFAULT_SECURITY_HASH_CHECK
bool "hashcheck" if SECURITY_HASH_CHECK=y
config DEFAULT_SECURITY_CAN_EXEC
bool "can-exec" if SECURITY_CAN_EXEC=y

config DEFAULT_SECURITY_HASH_CHECK
bool "hashcheck" if SECURITY_HASH_CHECK=y

config DEFAULT_SECURITY_WHITELIST
bool "whitelist" if SECURITY_WHITELIST=y
config DEFAULT_SECURITY_WHITELIST
bool "whitelist" if SECURITY_WHITELIST=y
config DEFAULT_SECURITY_DAC
bool "Unix Discretionary Access Controls"

endchoice

config LSM
string "Ordered list of enabled LSMs"
default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK
default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR
default "lockdown,yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO
default "lockdown,yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC
default "lockdown,yama,loadpin,safesetid,integrity,can-exec" if DEFAULT_SECURITY_CAN_EXEC
default "lockdown,yama,loadpin,safesetid,integrity,hashcheck" if DEFAULT_SECURITY_HASH_CHECK
default "localdown,yama,loadpin,safesetid,integrity,whitelist" if DEFAULT_SECURITY_WHITELIST
default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,can-exec,hashcheck,whitelist"
default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
default "lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
default "lockdown,yama,loadpin,safesetid,integrity,bpf,can-exec" if DEFAULT_SECURITY_CAN_EXEC
default "lockdown,yama,loadpin,safesetid,integrity,bpf,hashcheck" if DEFAULT_SECURITY_HASH_CHECK
default "localdown,yama,loadpin,safesetid,integrity,bpf,whitelist" if DEFAULT_SECURITY_WHITELIST
default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
help
A comma-separated list of LSMs, in initialization order.
Any LSMs left off this list will be ignored. This can be
Expand Down
20 changes: 12 additions & 8 deletions security/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,11 @@ subdir-$(CONFIG_SECURITY_YAMA) += yama
subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid
subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown
subdir-$(CONFIG_SECURITY_CAN_EXEC) += can-exec
subdir-$(CONFIG_SECURITY_HASH_CHECK) += hashcheck
subdir-$(CONFIG_SECURITY_WHITELIST) += whitelist
subdir-$(CONFIG_BPF_LSM) += bpf
subdir-$(CONFIG_SECURITY_CAN_EXEC) += can-exec
subdir-$(CONFIG_SECURITY_HASH_CHECK) += hashcheck
subdir-$(CONFIG_SECURITY_WHITELIST) += whitelist


# always enable default capabilities
obj-y += commoncap.o
Expand All @@ -25,17 +27,19 @@ obj-$(CONFIG_SECURITY) += security.o
obj-$(CONFIG_SECURITYFS) += inode.o
obj-$(CONFIG_SECURITY_SELINUX) += selinux/
obj-$(CONFIG_SECURITY_SMACK) += smack/
obj-$(CONFIG_AUDIT) += lsm_audit.o
obj-$(CONFIG_SECURITY) += lsm_audit.o
obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
obj-$(CONFIG_SECURITY_YAMA) += yama/
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/
obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
obj-$(CONFIG_SECURITY_CAN_EXEC) += can-exec/
obj-$(CONFIG_SECURITY_HASH_CHECK) += hashcheck/
obj-$(CONFIG_SECURITY_WHITELIST) += whitelist/
obj-$(CONFIG_CGROUPS) += device_cgroup.o
obj-$(CONFIG_BPF_LSM) += bpf/
obj-$(CONFIG_SECURITY_CAN_EXEC) += can-exec/
obj-$(CONFIG_SECURITY_HASH_CHECK) += hashcheck/
obj-$(CONFIG_SECURITY_WHITELIST) += whitelist/


# Object integrity file lists
subdir-$(CONFIG_INTEGRITY) += integrity
Expand Down
8 changes: 3 additions & 5 deletions security/can-exec/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,11 @@ The arguments supplied are the UID of the invoking user, and the command they're
First of all you'll need to build the kernel with this module enabled. Since there have been changes to the Kernel recently, to allow LSM module-stacking, these are the settings I used for my own tests:

```
#
# Security options
#
CONFIG_KEYS=y
CONFIG_KEYS_COMPAT=y
# CONFIG_KEYS_REQUEST_CACHE is not set
# CONFIG_PERSISTENT_KEYRINGS is not set
# CONFIG_BIG_KEYS is not set
# CONFIG_TRUSTED_KEYS is not set
# CONFIG_ENCRYPTED_KEYS is not set
# CONFIG_KEY_DH_OPERATIONS is not set
Expand Down Expand Up @@ -53,8 +50,9 @@ CONFIG_SECURITY_CAN_EXEC=y
# CONFIG_SECURITY_HASH_CHECK is not set
# CONFIG_SECURITY_WHITELIST is not set
# CONFIG_INTEGRITY is not set
CONFIG_DEFAULT_SECURITY_CAN_EXEC=y
# CONFIG_DEFAULT_SECURITY_DAC is not set
# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
# CONFIG_DEFAULT_SECURITY_CAN_EXEC is not set
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_LSM="yama,loadpin,safesetid,integrity,can-exec,selinux,smack,tomoyo,apparmor"
```

Expand Down

0 comments on commit 73ab4dc

Please sign in to comment.