Commit 000d388e authored by Matthew Garrett's avatar Matthew Garrett Committed by James Morris
Browse files

security: Add a static lockdown policy LSM 



While existing LSMs can be extended to handle lockdown policy,
distributions generally want to be able to apply a straightforward
static policy. This patch adds a simple LSM that can be configured to
reject either integrity or all lockdown queries, and can be configured
at runtime (through securityfs), boot time (via a kernel parameter) or
build time (via a kconfig option). Based on initial code by David
Howells.

Signed-off-by: default avatarMatthew Garrett <mjg59@google.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 9e47d31d

Documentation/admin-guide/kernel-parameters.txt

+9 −0
Original line number Diff line number Diff line
@@ -2244,6 +2244,15 @@ 
	lockd.nlm_udpport=M	[NFS] Assign UDP port.

			Format: <integer>



	lockdown=	[SECURITY]

			{ integrity | confidentiality }

			Enable the kernel lockdown feature. If set to

			integrity, kernel features that allow userland to

			modify the running kernel are disabled. If set to

			confidentiality, kernel features that allow userland

			to extract confidential information from the kernel

			are also disabled.



	locktorture.nreaders_stress= [KNL]

			Set the number of locking read-acquisition kthreads.

			Defaults to being automatically set based on the

include/linux/security.h

+3 −0
Original line number Diff line number Diff line
@@ -97,6 +97,9 @@ enum lsm_event { 
 * potentially a moving target. It is easy to misuse this information

 * in a way that could break userspace. Please be careful not to do

 * so.

 *

 * If you add to this, remember to extend lockdown_reasons in

 * security/lockdown/lockdown.c.

 */

enum lockdown_reason {

	LOCKDOWN_NONE,

security/Kconfig

+6 −5
Original line number Diff line number Diff line
@@ -237,6 +237,7 @@ source "security/apparmor/Kconfig" 
source "security/loadpin/Kconfig"

source "security/yama/Kconfig"

source "security/safesetid/Kconfig"

source "security/lockdown/Kconfig"



source "security/integrity/Kconfig"
@@ -276,11 +277,11 @@ endchoice 


config LSM

	string "Ordered list of enabled LSMs"

	default "yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK

	default "yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR

	default "yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO

	default "yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC

	default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"

	default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK

	default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR

	default "lockdown,yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO

	default "lockdown,yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC

	default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"

	help

	  A comma-separated list of LSMs, in initialization order.

	  Any LSMs left off this list will be ignored. This can be

security/Makefile

+2 −0
Original line number Diff line number Diff line
@@ -11,6 +11,7 @@ subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor 
subdir-$(CONFIG_SECURITY_YAMA)		+= yama

subdir-$(CONFIG_SECURITY_LOADPIN)	+= loadpin

subdir-$(CONFIG_SECURITY_SAFESETID)    += safesetid

subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown



# always enable default capabilities

obj-y					+= commoncap.o
@@ -27,6 +28,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ 
obj-$(CONFIG_SECURITY_YAMA)		+= yama/

obj-$(CONFIG_SECURITY_LOADPIN)		+= loadpin/

obj-$(CONFIG_SECURITY_SAFESETID)       += safesetid/

obj-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown/

obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o



# Object integrity file lists

security/lockdown/Kconfig

0 → 100644
+46 −0
Original line number Diff line number Diff line 
config SECURITY_LOCKDOWN_LSM

	bool "Basic module for enforcing kernel lockdown"

	depends on SECURITY

	help

	  Build support for an LSM that enforces a coarse kernel lockdown

	  behaviour.



config SECURITY_LOCKDOWN_LSM_EARLY

	bool "Enable lockdown LSM early in init"

	depends on SECURITY_LOCKDOWN_LSM

	help

	  Enable the lockdown LSM early in boot. This is necessary in order

	  to ensure that lockdown enforcement can be carried out on kernel

	  boot parameters that are otherwise parsed before the security

	  subsystem is fully initialised. If enabled, lockdown will

	  unconditionally be called before any other LSMs.



choice

	prompt "Kernel default lockdown mode"

	default LOCK_DOWN_KERNEL_FORCE_NONE

	depends on SECURITY_LOCKDOWN_LSM

	help

	  The kernel can be configured to default to differing levels of

	  lockdown.



config LOCK_DOWN_KERNEL_FORCE_NONE

	bool "None"

	help

	  No lockdown functionality is enabled by default. Lockdown may be

	  enabled via the kernel commandline or /sys/kernel/security/lockdown.



config LOCK_DOWN_KERNEL_FORCE_INTEGRITY

	bool "Integrity"

	help

	 The kernel runs in integrity mode by default. Features that allow

	 the kernel to be modified at runtime are disabled.



config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY

	bool "Confidentiality"

	help

	 The kernel runs in confidentiality mode by default. Features that

	 allow the kernel to be modified at runtime or that permit userland

	 code to read confidential material held inside the kernel are

	 disabled.



endchoice

CRA Git | Maintained and supported by SUSTech CRA and CCSE