From patchwork Wed Sep 2 00:32:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Spooren X-Patchwork-Id: 1355469 X-Patchwork-Delegate: daniel@makrotopia.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=aparcar.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=HWCs+dTa; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Bh4hj30Rxz9sTK for ; Wed, 2 Sep 2020 10:35:01 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=og56VeiLNzHwk5C3SkyEf/OzjUNXyppNund9WPdmvvU=; b=HWCs+dTa5ZJYJCBBoNVR/jZpz2 RwDs8z/i9BdFoo67fKYrd++ax5EFjpv/pPYfzO0V/Szxnn8emYZ7Ss9GuD0N1Cn4EQEfZW/Bp89SW 3evlsNBXsxIvNoivWU/2ToT9RzvYF9VxoQHC9Tk+nl781LOxR/z9hoLNXCDXlKFFk6YOGUzAtbhuW H75c+Xb1UFhWQncPSSWREEmZXeQKLVNmt3ErN4OCyy54vMy6Y1SS4w6GUgX9XvsnlmNrKzNqCOTlC UVbi0pA3booOJwcsLIyI7/L10+yDA8JkGG/GSWI52GVBzlTR7lqZMBswCr4XzeRtHbhAw6M8X4Z/A tGZZNm6w==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kDGhw-0001tO-2F; Wed, 02 Sep 2020 00:33:00 +0000 Received: from relay7-d.mail.gandi.net ([217.70.183.200]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kDGhq-0001pm-BQ for openwrt-devel@lists.openwrt.org; Wed, 02 Sep 2020 00:32:57 +0000 X-Originating-IP: 72.234.141.215 Received: from dawn.lan (udp224251uds.hawaiiantel.net [72.234.141.215]) (Authenticated sender: mail@aparcar.org) by relay7-d.mail.gandi.net (Postfix) with ESMTPA id 2919220008; Wed, 2 Sep 2020 00:32:50 +0000 (UTC) From: Paul Spooren To: openwrt-devel@lists.openwrt.org Subject: [PATCH] config: add KERNEL_LSM symbol Date: Tue, 1 Sep 2020 14:32:45 -1000 Message-Id: <20200902003245.3315830-1-mail@aparcar.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200901_203254_535194_32DB18B8 X-CRM114-Status: GOOD ( 10.69 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [217.70.183.200 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Paul Spooren Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org The LSM (Linux security mechanism) list is the successor of the now legacy *major LSM*. Instead of defining a single security mechanism the LSM symbol is a comma separated list of mechanisms to load. Until recently OpenWrt would only support DAC (Unix discretionary access controls) which don't require an additional entry in the LSM list. With the newly introduced SELinux support the LSM needs to be extended else only a manual modified Kernel cmdline (`security=selinux`) would activate SELinux. As the default OpenWrt Kernel config sets DAC as default security mechanism, SELinux is stripped from the LSM list, even if `KERNEL_DEFAULT_SECURITY_SELINUX` is activated. To allow SELinux without a modified cmdline this commit sets a specific LSM list if `KERNEL_SECURITY_SELINUX` is enabled. The upstream Kconfig adds even more mechanisms (smack,selinux,tomoyo,apparmor), but until they're ported to OpenWrt, these can be ignored. To compile SELinux Kernel support but disable it from loading, the already present options `KERNEL_SECURITY_SELINUX_DISABLE` or `KERNEL_SECURITY_SELINUX_BOOTPARAM` (with custom cmdline `selinux=0`) can be used. Further it's possible to edit `/etc/selinux/config`. Signed-off-by: Paul Spooren --- config/Config-kernel.in | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/config/Config-kernel.in b/config/Config-kernel.in index 4eaaa4afae..1f677fd1f5 100644 --- a/config/Config-kernel.in +++ b/config/Config-kernel.in @@ -1133,18 +1133,10 @@ config KERNEL_SECURITY_SELINUX_DEVELOP bool "NSA SELinux Development Support" depends on KERNEL_SECURITY_SELINUX -choice - prompt "First legacy 'major LSM' to be initialized" +config KERNEL_LSM + string + default "lockdown,yama,loadpin,safesetid,integrity,selinux" depends on KERNEL_SECURITY_SELINUX - default KERNEL_DEFAULT_SECURITY_SELINUX - - config KERNEL_DEFAULT_SECURITY_SELINUX - bool "SELinux" - - config KERNEL_DEFAULT_SECURITY_DAC - bool "Unix Discretionary Access Controls" - -endchoice config KERNEL_EXT4_FS_SECURITY bool "Ext4 Security Labels"