Commit 730daa16 authored by Kees Cook's avatar Kees Cook Committed by James Morris

Yama: remove needless CONFIG_SECURITY_YAMA_STACKED

Now that minor LSMs can cleanly stack with major LSMs, remove the unneeded
config for Yama to be made to explicitly stack. Just selecting the main
Yama CONFIG will allow it to work, regardless of the major LSM. Since
distros using Yama are already forcing it to stack, this is effectively
a no-op change.

Additionally add MAINTAINERS entry.
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
parent fe6c59dc
Yama is a Linux Security Module that collects a number of system-wide DAC Yama is a Linux Security Module that collects system-wide DAC security
security protections that are not handled by the core kernel itself. To protections that are not handled by the core kernel itself. This is
select it at boot time, specify "security=yama" (though this will disable selectable at build-time with CONFIG_SECURITY_YAMA, and can be controlled
any other LSM). at run-time through sysctls in /proc/sys/kernel/yama:
Yama is controlled through sysctl in /proc/sys/kernel/yama:
- ptrace_scope - ptrace_scope
......
...@@ -9102,6 +9102,12 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git ...@@ -9102,6 +9102,12 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git
S: Supported S: Supported
F: security/apparmor/ F: security/apparmor/
YAMA SECURITY MODULE
M: Kees Cook <keescook@chromium.org>
T: git git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git yama/tip
S: Supported
F: security/yama/
SENSABLE PHANTOM SENSABLE PHANTOM
M: Jiri Slaby <jirislaby@gmail.com> M: Jiri Slaby <jirislaby@gmail.com>
S: Maintained S: Maintained
......
...@@ -320,7 +320,6 @@ CONFIG_KEYS=y ...@@ -320,7 +320,6 @@ CONFIG_KEYS=y
CONFIG_SECURITY=y CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_YAMA=y CONFIG_SECURITY_YAMA=y
CONFIG_SECURITY_YAMA_STACKED=y
CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_CRYPTO_AUTHENC=y CONFIG_CRYPTO_AUTHENC=y
CONFIG_CRYPTO_HMAC=y CONFIG_CRYPTO_HMAC=y
......
...@@ -1881,8 +1881,10 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, ...@@ -1881,8 +1881,10 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
extern int __init security_module_enable(const char *module); extern int __init security_module_enable(const char *module);
extern void __init capability_add_hooks(void); extern void __init capability_add_hooks(void);
#ifdef CONFIG_SECURITY_YAMA_STACKED #ifdef CONFIG_SECURITY_YAMA
void __init yama_add_hooks(void); extern void __init yama_add_hooks(void);
#else
static inline void __init yama_add_hooks(void) { }
#endif #endif
#endif /* ! __LINUX_LSM_HOOKS_H */ #endif /* ! __LINUX_LSM_HOOKS_H */
...@@ -132,7 +132,6 @@ choice ...@@ -132,7 +132,6 @@ choice
default DEFAULT_SECURITY_SMACK if SECURITY_SMACK default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
default DEFAULT_SECURITY_YAMA if SECURITY_YAMA
default DEFAULT_SECURITY_DAC default DEFAULT_SECURITY_DAC
help help
...@@ -151,9 +150,6 @@ choice ...@@ -151,9 +150,6 @@ choice
config DEFAULT_SECURITY_APPARMOR config DEFAULT_SECURITY_APPARMOR
bool "AppArmor" if SECURITY_APPARMOR=y bool "AppArmor" if SECURITY_APPARMOR=y
config DEFAULT_SECURITY_YAMA
bool "Yama" if SECURITY_YAMA=y
config DEFAULT_SECURITY_DAC config DEFAULT_SECURITY_DAC
bool "Unix Discretionary Access Controls" bool "Unix Discretionary Access Controls"
...@@ -165,7 +161,6 @@ config DEFAULT_SECURITY ...@@ -165,7 +161,6 @@ config DEFAULT_SECURITY
default "smack" if DEFAULT_SECURITY_SMACK default "smack" if DEFAULT_SECURITY_SMACK
default "tomoyo" if DEFAULT_SECURITY_TOMOYO default "tomoyo" if DEFAULT_SECURITY_TOMOYO
default "apparmor" if DEFAULT_SECURITY_APPARMOR default "apparmor" if DEFAULT_SECURITY_APPARMOR
default "yama" if DEFAULT_SECURITY_YAMA
default "" if DEFAULT_SECURITY_DAC default "" if DEFAULT_SECURITY_DAC
endmenu endmenu
......
...@@ -56,18 +56,13 @@ int __init security_init(void) ...@@ -56,18 +56,13 @@ int __init security_init(void)
pr_info("Security Framework initialized\n"); pr_info("Security Framework initialized\n");
/* /*
* Always load the capability module. * Load minor LSMs, with the capability module always first.
*/ */
capability_add_hooks(); capability_add_hooks();
#ifdef CONFIG_SECURITY_YAMA_STACKED
/*
* If Yama is configured for stacking load it next.
*/
yama_add_hooks(); yama_add_hooks();
#endif
/* /*
* Load the chosen module if there is one. * Load all the remaining security modules.
* This will also find yama if it is stacking
*/ */
do_security_initcalls(); do_security_initcalls();
......
...@@ -6,14 +6,7 @@ config SECURITY_YAMA ...@@ -6,14 +6,7 @@ config SECURITY_YAMA
This selects Yama, which extends DAC support with additional This selects Yama, which extends DAC support with additional
system-wide security settings beyond regular Linux discretionary system-wide security settings beyond regular Linux discretionary
access controls. Currently available is ptrace scope restriction. access controls. Currently available is ptrace scope restriction.
Like capabilities, this security module stacks with other LSMs.
Further information can be found in Documentation/security/Yama.txt. Further information can be found in Documentation/security/Yama.txt.
If you are unsure how to answer this question, answer N. If you are unsure how to answer this question, answer N.
config SECURITY_YAMA_STACKED
bool "Yama stacked with other LSMs"
depends on SECURITY_YAMA
default n
help
When Yama is built into the kernel, force it to stack with the
selected primary LSM.
...@@ -353,11 +353,6 @@ static struct security_hook_list yama_hooks[] = { ...@@ -353,11 +353,6 @@ static struct security_hook_list yama_hooks[] = {
LSM_HOOK_INIT(task_free, yama_task_free), LSM_HOOK_INIT(task_free, yama_task_free),
}; };
void __init yama_add_hooks(void)
{
security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks));
}
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
static int yama_dointvec_minmax(struct ctl_table *table, int write, static int yama_dointvec_minmax(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos) void __user *buffer, size_t *lenp, loff_t *ppos)
...@@ -396,25 +391,18 @@ static struct ctl_table yama_sysctl_table[] = { ...@@ -396,25 +391,18 @@ static struct ctl_table yama_sysctl_table[] = {
}, },
{ } { }
}; };
#endif /* CONFIG_SYSCTL */ static void __init yama_init_sysctl(void)
static __init int yama_init(void)
{ {
#ifndef CONFIG_SECURITY_YAMA_STACKED
/*
* If yama is being stacked this is already taken care of.
*/
if (!security_module_enable("yama"))
return 0;
#endif
pr_info("Yama: becoming mindful.\n");
#ifdef CONFIG_SYSCTL
if (!register_sysctl_paths(yama_sysctl_path, yama_sysctl_table)) if (!register_sysctl_paths(yama_sysctl_path, yama_sysctl_table))
panic("Yama: sysctl registration failed.\n"); panic("Yama: sysctl registration failed.\n");
#endif
return 0;
} }
#else
static inline void yama_init_sysctl(void) { }
#endif /* CONFIG_SYSCTL */
security_initcall(yama_init); void __init yama_add_hooks(void)
{
pr_info("Yama: becoming mindful.\n");
security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks));
yama_init_sysctl();
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment