13 update (#14)

* Updated README to refer to 5.10.17 * Resync security/Kconfig + security/Makefile for 5.10.17 * Updated to link to the 'porting' bug-report * Resync config.
skx · Feb 18, 2021 · 73ab4dc · 73ab4dc
1 parent 31058b8
commit 73ab4dc
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 34 deletions.
diff --git a/README.md b/README.md
@@ -2,8 +2,11 @@
 
 This repository contains a small collection of linux security modules, which were written as a part of a learning/experimentation process.
 
-The code present has been compiled and tested against the most recent long-term kernel, at the time of writing that is __5.4.22__.
+The code present has been compiled and tested against the most recent long-term kernel, at the time of writing that is __5.10.17__.
 
+If you want to port this code to a newer kernel, in the future, then the following bug-report is a good overview of how I approach things:
+
+* https://github.com/skx/linux-security-modules/issues/13
 
 
 

diff --git a/security/Kconfig b/security/Kconfig
@@ -118,7 +118,7 @@ config INTEL_TXT
 	  it was configured with, especially since they may be responsible for
 	  providing such assurances to VMs and services running on it.
 
-	  See <http://www.intel.com/technology/security/> for more information
+	  See <https://www.intel.com/technology/security/> for more information
 	  about Intel(R) TXT.
 	  See <http://tboot.sourceforge.net> for more information about tboot.
 	  See Documentation/x86/intel_txt.rst for a description of how to enable
@@ -238,7 +238,6 @@ source "security/loadpin/Kconfig"
 source "security/yama/Kconfig"
 source "security/safesetid/Kconfig"
 source "security/lockdown/Kconfig"
-
 source "security/can-exec/Kconfig"
 source "security/hashcheck/Kconfig"
 source "security/whitelist/Kconfig"
@@ -251,9 +250,9 @@ choice
 	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
 	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
 	default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
-	default DEFAULT_SECURITY_CAN_EXEC if SECURITY_CAN_EXEC
-  	default DEFAULT_SECURITY_HASH_CHECK if SECURITY_HASH_CHECK
-  	default DEFAULT_SECURITY_WHITELIST if SECURITY_WHITELIST
+        default DEFAULT_SECURITY_CAN_EXEC if SECURITY_CAN_EXEC
+        default DEFAULT_SECURITY_HASH_CHECK if SECURITY_HASH_CHECK
+        default DEFAULT_SECURITY_WHITELIST if SECURITY_WHITELIST
 	default DEFAULT_SECURITY_DAC
 
 	help
@@ -277,30 +276,31 @@ choice
 	config DEFAULT_SECURITY_APPARMOR
 		bool "AppArmor" if SECURITY_APPARMOR=y
 
-	config DEFAULT_SECURITY_CAN_EXEC
- 	       bool "can-exec" if SECURITY_CAN_EXEC=y
 
-	config DEFAULT_SECURITY_HASH_CHECK
- 	       bool "hashcheck" if SECURITY_HASH_CHECK=y
+        config DEFAULT_SECURITY_CAN_EXEC
+               bool "can-exec" if SECURITY_CAN_EXEC=y
+
+        config DEFAULT_SECURITY_HASH_CHECK
+               bool "hashcheck" if SECURITY_HASH_CHECK=y
 
-	config DEFAULT_SECURITY_WHITELIST
- 	       bool "whitelist" if SECURITY_WHITELIST=y
-	       
+        config DEFAULT_SECURITY_WHITELIST
+               bool "whitelist" if SECURITY_WHITELIST=y
+               
 	config DEFAULT_SECURITY_DAC
 		bool "Unix Discretionary Access Controls"
 
 endchoice
 
 config LSM
 	string "Ordered list of enabled LSMs"
-	default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK
-	default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR
-	default "lockdown,yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO
-	default "lockdown,yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC
- 	default "lockdown,yama,loadpin,safesetid,integrity,can-exec" if DEFAULT_SECURITY_CAN_EXEC
- 	default "lockdown,yama,loadpin,safesetid,integrity,hashcheck" if DEFAULT_SECURITY_HASH_CHECK
- 	default "localdown,yama,loadpin,safesetid,integrity,whitelist" if DEFAULT_SECURITY_WHITELIST
-	default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,can-exec,hashcheck,whitelist"
+	default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
+	default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
+	default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
+	default "lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
+        default "lockdown,yama,loadpin,safesetid,integrity,bpf,can-exec" if DEFAULT_SECURITY_CAN_EXEC
+        default "lockdown,yama,loadpin,safesetid,integrity,bpf,hashcheck" if DEFAULT_SECURITY_HASH_CHECK
+        default "localdown,yama,loadpin,safesetid,integrity,bpf,whitelist" if DEFAULT_SECURITY_WHITELIST
+	default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
 	help
 	  A comma-separated list of LSMs, in initialization order.
 	  Any LSMs left off this list will be ignored. This can be

diff --git a/security/Makefile b/security/Makefile
@@ -12,9 +12,11 @@ subdir-$(CONFIG_SECURITY_YAMA)		+= yama
 subdir-$(CONFIG_SECURITY_LOADPIN)	+= loadpin
 subdir-$(CONFIG_SECURITY_SAFESETID)    += safesetid
 subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown
-subdir-$(CONFIG_SECURITY_CAN_EXEC)	+= can-exec
-subdir-$(CONFIG_SECURITY_HASH_CHECK)	+= hashcheck
-subdir-$(CONFIG_SECURITY_WHITELIST)	+= whitelist
+subdir-$(CONFIG_BPF_LSM)		+= bpf
+subdir-$(CONFIG_SECURITY_CAN_EXEC)      += can-exec
+subdir-$(CONFIG_SECURITY_HASH_CHECK)    += hashcheck
+subdir-$(CONFIG_SECURITY_WHITELIST)     += whitelist
+
 
 # always enable default capabilities
 obj-y					+= commoncap.o
@@ -25,17 +27,19 @@ obj-$(CONFIG_SECURITY)			+= security.o
 obj-$(CONFIG_SECURITYFS)		+= inode.o
 obj-$(CONFIG_SECURITY_SELINUX)		+= selinux/
 obj-$(CONFIG_SECURITY_SMACK)		+= smack/
-obj-$(CONFIG_AUDIT)			+= lsm_audit.o
+obj-$(CONFIG_SECURITY)			+= lsm_audit.o
 obj-$(CONFIG_SECURITY_TOMOYO)		+= tomoyo/
 obj-$(CONFIG_SECURITY_APPARMOR)		+= apparmor/
 obj-$(CONFIG_SECURITY_YAMA)		+= yama/
 obj-$(CONFIG_SECURITY_LOADPIN)		+= loadpin/
 obj-$(CONFIG_SECURITY_SAFESETID)       += safesetid/
 obj-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown/
-obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
-obj-$(CONFIG_SECURITY_CAN_EXEC)		+= can-exec/
-obj-$(CONFIG_SECURITY_HASH_CHECK)	+= hashcheck/
-obj-$(CONFIG_SECURITY_WHITELIST)	+= whitelist/
+obj-$(CONFIG_CGROUPS)			+= device_cgroup.o
+obj-$(CONFIG_BPF_LSM)			+= bpf/
+obj-$(CONFIG_SECURITY_CAN_EXEC)         += can-exec/
+obj-$(CONFIG_SECURITY_HASH_CHECK)       += hashcheck/
+obj-$(CONFIG_SECURITY_WHITELIST)        += whitelist/
+
 
 # Object integrity file lists
 subdir-$(CONFIG_INTEGRITY)		+= integrity

diff --git a/security/can-exec/README.md b/security/can-exec/README.md
@@ -18,14 +18,11 @@ The arguments supplied are the UID of the invoking user, and the command they're
 First of all you'll need to build the kernel with this module enabled.  Since there have been changes to the Kernel recently, to allow LSM module-stacking, these are the settings I used for my own tests:
 
 ```
-#
 # Security options
 #
 CONFIG_KEYS=y
-CONFIG_KEYS_COMPAT=y
 # CONFIG_KEYS_REQUEST_CACHE is not set
 # CONFIG_PERSISTENT_KEYRINGS is not set
-# CONFIG_BIG_KEYS is not set
 # CONFIG_TRUSTED_KEYS is not set
 # CONFIG_ENCRYPTED_KEYS is not set
 # CONFIG_KEY_DH_OPERATIONS is not set
@@ -53,8 +50,9 @@ CONFIG_SECURITY_CAN_EXEC=y
 # CONFIG_SECURITY_HASH_CHECK is not set
 # CONFIG_SECURITY_WHITELIST is not set
 # CONFIG_INTEGRITY is not set
-CONFIG_DEFAULT_SECURITY_CAN_EXEC=y
-# CONFIG_DEFAULT_SECURITY_DAC is not set
+# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
+# CONFIG_DEFAULT_SECURITY_CAN_EXEC is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
 CONFIG_LSM="yama,loadpin,safesetid,integrity,can-exec,selinux,smack,tomoyo,apparmor"
 ```