From 73ab4dc1d311e7bc3f7fdee1b266f42083b92a3e Mon Sep 17 00:00:00 2001 From: Steve Kemp Date: Thu, 18 Feb 2021 19:55:27 +0200 Subject: [PATCH] 13 update (#14) * Updated README to refer to 5.10.17 * Resync security/Kconfig + security/Makefile for 5.10.17 * Updated to link to the 'porting' bug-report * Resync config. --- README.md | 5 ++++- security/Kconfig | 40 ++++++++++++++++++------------------- security/Makefile | 20 +++++++++++-------- security/can-exec/README.md | 8 +++----- 4 files changed, 39 insertions(+), 34 deletions(-) diff --git a/README.md b/README.md index ab4a5e6..361a212 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,11 @@ This repository contains a small collection of linux security modules, which were written as a part of a learning/experimentation process. -The code present has been compiled and tested against the most recent long-term kernel, at the time of writing that is __5.4.22__. +The code present has been compiled and tested against the most recent long-term kernel, at the time of writing that is __5.10.17__. +If you want to port this code to a newer kernel, in the future, then the following bug-report is a good overview of how I approach things: + +* https://github.com/skx/linux-security-modules/issues/13 diff --git a/security/Kconfig b/security/Kconfig index 02b228c..06183a4 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -118,7 +118,7 @@ config INTEL_TXT it was configured with, especially since they may be responsible for providing such assurances to VMs and services running on it. - See for more information + See for more information about Intel(R) TXT. See for more information about tboot. See Documentation/x86/intel_txt.rst for a description of how to enable @@ -238,7 +238,6 @@ source "security/loadpin/Kconfig" source "security/yama/Kconfig" source "security/safesetid/Kconfig" source "security/lockdown/Kconfig" - source "security/can-exec/Kconfig" source "security/hashcheck/Kconfig" source "security/whitelist/Kconfig" @@ -251,9 +250,9 @@ choice default DEFAULT_SECURITY_SMACK if SECURITY_SMACK default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR - default DEFAULT_SECURITY_CAN_EXEC if SECURITY_CAN_EXEC - default DEFAULT_SECURITY_HASH_CHECK if SECURITY_HASH_CHECK - default DEFAULT_SECURITY_WHITELIST if SECURITY_WHITELIST + default DEFAULT_SECURITY_CAN_EXEC if SECURITY_CAN_EXEC + default DEFAULT_SECURITY_HASH_CHECK if SECURITY_HASH_CHECK + default DEFAULT_SECURITY_WHITELIST if SECURITY_WHITELIST default DEFAULT_SECURITY_DAC help @@ -277,15 +276,16 @@ choice config DEFAULT_SECURITY_APPARMOR bool "AppArmor" if SECURITY_APPARMOR=y - config DEFAULT_SECURITY_CAN_EXEC - bool "can-exec" if SECURITY_CAN_EXEC=y - config DEFAULT_SECURITY_HASH_CHECK - bool "hashcheck" if SECURITY_HASH_CHECK=y + config DEFAULT_SECURITY_CAN_EXEC + bool "can-exec" if SECURITY_CAN_EXEC=y + + config DEFAULT_SECURITY_HASH_CHECK + bool "hashcheck" if SECURITY_HASH_CHECK=y - config DEFAULT_SECURITY_WHITELIST - bool "whitelist" if SECURITY_WHITELIST=y - + config DEFAULT_SECURITY_WHITELIST + bool "whitelist" if SECURITY_WHITELIST=y + config DEFAULT_SECURITY_DAC bool "Unix Discretionary Access Controls" @@ -293,14 +293,14 @@ endchoice config LSM string "Ordered list of enabled LSMs" - default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK - default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR - default "lockdown,yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO - default "lockdown,yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC - default "lockdown,yama,loadpin,safesetid,integrity,can-exec" if DEFAULT_SECURITY_CAN_EXEC - default "lockdown,yama,loadpin,safesetid,integrity,hashcheck" if DEFAULT_SECURITY_HASH_CHECK - default "localdown,yama,loadpin,safesetid,integrity,whitelist" if DEFAULT_SECURITY_WHITELIST - default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,can-exec,hashcheck,whitelist" + default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK + default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR + default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO + default "lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC + default "lockdown,yama,loadpin,safesetid,integrity,bpf,can-exec" if DEFAULT_SECURITY_CAN_EXEC + default "lockdown,yama,loadpin,safesetid,integrity,bpf,hashcheck" if DEFAULT_SECURITY_HASH_CHECK + default "localdown,yama,loadpin,safesetid,integrity,bpf,whitelist" if DEFAULT_SECURITY_WHITELIST + default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be ignored. This can be diff --git a/security/Makefile b/security/Makefile index f1dccf9..4e3f2d0 100644 --- a/security/Makefile +++ b/security/Makefile @@ -12,9 +12,11 @@ subdir-$(CONFIG_SECURITY_YAMA) += yama subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown -subdir-$(CONFIG_SECURITY_CAN_EXEC) += can-exec -subdir-$(CONFIG_SECURITY_HASH_CHECK) += hashcheck -subdir-$(CONFIG_SECURITY_WHITELIST) += whitelist +subdir-$(CONFIG_BPF_LSM) += bpf +subdir-$(CONFIG_SECURITY_CAN_EXEC) += can-exec +subdir-$(CONFIG_SECURITY_HASH_CHECK) += hashcheck +subdir-$(CONFIG_SECURITY_WHITELIST) += whitelist + # always enable default capabilities obj-y += commoncap.o @@ -25,17 +27,19 @@ obj-$(CONFIG_SECURITY) += security.o obj-$(CONFIG_SECURITYFS) += inode.o obj-$(CONFIG_SECURITY_SELINUX) += selinux/ obj-$(CONFIG_SECURITY_SMACK) += smack/ -obj-$(CONFIG_AUDIT) += lsm_audit.o +obj-$(CONFIG_SECURITY) += lsm_audit.o obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ obj-$(CONFIG_SECURITY_YAMA) += yama/ obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/ obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ -obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o -obj-$(CONFIG_SECURITY_CAN_EXEC) += can-exec/ -obj-$(CONFIG_SECURITY_HASH_CHECK) += hashcheck/ -obj-$(CONFIG_SECURITY_WHITELIST) += whitelist/ +obj-$(CONFIG_CGROUPS) += device_cgroup.o +obj-$(CONFIG_BPF_LSM) += bpf/ +obj-$(CONFIG_SECURITY_CAN_EXEC) += can-exec/ +obj-$(CONFIG_SECURITY_HASH_CHECK) += hashcheck/ +obj-$(CONFIG_SECURITY_WHITELIST) += whitelist/ + # Object integrity file lists subdir-$(CONFIG_INTEGRITY) += integrity diff --git a/security/can-exec/README.md b/security/can-exec/README.md index c8a63c3..7d07f4a 100644 --- a/security/can-exec/README.md +++ b/security/can-exec/README.md @@ -18,14 +18,11 @@ The arguments supplied are the UID of the invoking user, and the command they're First of all you'll need to build the kernel with this module enabled. Since there have been changes to the Kernel recently, to allow LSM module-stacking, these are the settings I used for my own tests: ``` -# # Security options # CONFIG_KEYS=y -CONFIG_KEYS_COMPAT=y # CONFIG_KEYS_REQUEST_CACHE is not set # CONFIG_PERSISTENT_KEYRINGS is not set -# CONFIG_BIG_KEYS is not set # CONFIG_TRUSTED_KEYS is not set # CONFIG_ENCRYPTED_KEYS is not set # CONFIG_KEY_DH_OPERATIONS is not set @@ -53,8 +50,9 @@ CONFIG_SECURITY_CAN_EXEC=y # CONFIG_SECURITY_HASH_CHECK is not set # CONFIG_SECURITY_WHITELIST is not set # CONFIG_INTEGRITY is not set -CONFIG_DEFAULT_SECURITY_CAN_EXEC=y -# CONFIG_DEFAULT_SECURITY_DAC is not set +# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set +# CONFIG_DEFAULT_SECURITY_CAN_EXEC is not set +CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_LSM="yama,loadpin,safesetid,integrity,can-exec,selinux,smack,tomoyo,apparmor" ```