CaitSith uses LSM hooks and securityfs support. For now, CaitSith is not using security blobs (i.e. "void *security" field in data structures) so that you can enable CaitSith using Multiple Concurrent LSMs.
Signed-off-by: Tetsuo Handa <[email protected]> --- security/Kconfig | 6 ++++++ security/Makefile | 2 ++ security/caitsith/Kconfig | 48 ++++++++++++++++++++++++++++++++++++++++++++++ security/caitsith/Makefile | 15 +++++++++++++++ 4 files changed, 71 insertions(+) create mode 100644 security/caitsith/Kconfig create mode 100644 security/caitsith/Makefile diff --git a/security/Kconfig b/security/Kconfig index 176758c..ab5b634 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -124,6 +124,7 @@ source security/tomoyo/Kconfig source security/apparmor/Kconfig source security/loadpin/Kconfig source security/yama/Kconfig +source security/caitsith/Kconfig source security/integrity/Kconfig @@ -133,6 +134,7 @@ choice default DEFAULT_SECURITY_SMACK if SECURITY_SMACK default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR + default DEFAULT_SECURITY_CAITSITH if SECURITY_CAITSITH default DEFAULT_SECURITY_DAC help @@ -151,6 +153,9 @@ choice config DEFAULT_SECURITY_APPARMOR bool "AppArmor" if SECURITY_APPARMOR=y + config DEFAULT_SECURITY_CAITSITH + bool "CaitSith" if SECURITY_CAITSITH=y + config DEFAULT_SECURITY_DAC bool "Unix Discretionary Access Controls" @@ -162,6 +167,7 @@ config DEFAULT_SECURITY default "smack" if DEFAULT_SECURITY_SMACK default "tomoyo" if DEFAULT_SECURITY_TOMOYO default "apparmor" if DEFAULT_SECURITY_APPARMOR + default "caitsith" if DEFAULT_SECURITY_CAITSITH default "" if DEFAULT_SECURITY_DAC endmenu diff --git a/security/Makefile b/security/Makefile index f2d71cd..3745af0 100644 --- a/security/Makefile +++ b/security/Makefile @@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor subdir-$(CONFIG_SECURITY_YAMA) += yama subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin +subdir-$(CONFIG_SECURITY_CAITSITH) += caitsith # always enable default capabilities obj-y += commoncap.o @@ -25,6 +26,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ obj-$(CONFIG_SECURITY_YAMA) += yama/ obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o +obj-$(CONFIG_SECURITY_CAITSITH) += caitsith/ # Object integrity file lists subdir-$(CONFIG_INTEGRITY) += integrity diff --git a/security/caitsith/Kconfig b/security/caitsith/Kconfig new file mode 100644 index 0000000..005cdb1 --- /dev/null +++ b/security/caitsith/Kconfig @@ -0,0 +1,48 @@ +config SECURITY_CAITSITH + bool "CaitSith Support" + depends on SECURITY + select SECURITYFS + select SRCU + default n + help + This selects CaitSith, check list based access control. + Required userspace tools and further information may be + found at <https://caitsith.osdn.jp/>. + If you are unsure how to answer this question, answer N. + +config SECURITY_CAITSITH_OMIT_USERSPACE_LOADER + bool "Activate without calling userspace policy loader." + default n + depends on SECURITY_CAITSITH + ---help--- + Say Y here if you want to activate access control as soon as built-in + policy was loaded. This option will be useful for systems where + operations which can lead to the hijacking of the boot sequence are + needed before loading the policy. For example, you can activate + immediately after loading the fixed part of policy which will allow + only operations needed for mounting a partition which contains the + variant part of policy and verifying (e.g. running GPG check) and + loading the variant part of policy. Since you can start using + enforcing mode from the beginning, you can reduce the possibility of + hijacking the boot sequence. + +config SECURITY_CAITSITH_POLICY_LOADER + string "Location of userspace policy loader" + default "/sbin/caitsith-init" + depends on SECURITY_CAITSITH + depends on !SECURITY_CAITSITH_OMIT_USERSPACE_LOADER + ---help--- + This is the default pathname of policy loader which is called before + activation. You can override this setting via CS_loader= kernel + command line option. + +config SECURITY_CAITSITH_ACTIVATION_TRIGGER + string "Trigger for calling userspace policy loader" + default "/sbin/init" + depends on SECURITY_CAITSITH + depends on !SECURITY_CAITSITH_OMIT_USERSPACE_LOADER + ---help--- + This is the default pathname of activation trigger. You can override + this setting via CS_trigger= kernel command line option. + For example, if you pass init=/usr/lib/systemd/systemd option, you + may want to also pass CS_trigger=/usr/lib/systemd/systemd option. diff --git a/security/caitsith/Makefile b/security/caitsith/Makefile new file mode 100644 index 0000000..1f0b83f --- /dev/null +++ b/security/caitsith/Makefile @@ -0,0 +1,15 @@ +obj-y += permission.o gc.o policy_io.o realpath.o lsm.o load_policy.o + +$(obj)/policy/policy.conf: + @mkdir -p $(obj)/policy/ + @echo Creating an empty policy/policy.conf + @touch $@ + +$(obj)/builtin-policy.h: $(obj)/policy/policy.conf + @echo Generating built-in policy for CaitSith. + @echo "static char cs_builtin_policy[] __initdata =" > [email protected] + @sed -e 's/\\/\\134/g' -e 's/"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $(obj)/policy/policy.conf >> [email protected] + @echo "\"\";" >> [email protected] + @mv [email protected] $@ + +$(obj)/policy_io.o: $(obj)/builtin-policy.h -- 1.8.3.1
