[PATCH 8/8] CaitSith: Add Kconfig and Makefile

[Tetsuo Handa]

CaitSith uses LSM hooks and securityfs support. For now, CaitSith is not
using security blobs (i.e. "void *security" field in data structures)
so that you can enable CaitSith using Multiple Concurrent LSMs.

Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
---
 security/Kconfig           |  6 ++++++
 security/Makefile          |  2 ++
 security/caitsith/Kconfig  | 48 ++++++++++++++++++++++++++++++++++++++++++++++
 security/caitsith/Makefile | 15 +++++++++++++++
 4 files changed, 71 insertions(+)
 create mode 100644 security/caitsith/Kconfig
 create mode 100644 security/caitsith/Makefile

diff --git a/security/Kconfig b/security/Kconfig
index 176758c..ab5b634 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -124,6 +124,7 @@ source security/tomoyo/Kconfig
 source security/apparmor/Kconfig
 source security/loadpin/Kconfig
 source security/yama/Kconfig
+source security/caitsith/Kconfig
 
 source security/integrity/Kconfig
 
@@ -133,6 +134,7 @@ choice
 	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
 	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
 	default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
+	default DEFAULT_SECURITY_CAITSITH if SECURITY_CAITSITH
 	default DEFAULT_SECURITY_DAC
 
 	help
@@ -151,6 +153,9 @@ choice
 	config DEFAULT_SECURITY_APPARMOR
 		bool "AppArmor" if SECURITY_APPARMOR=y
 
+	config DEFAULT_SECURITY_CAITSITH
+		bool "CaitSith" if SECURITY_CAITSITH=y
+
 	config DEFAULT_SECURITY_DAC
 		bool "Unix Discretionary Access Controls"
 
@@ -162,6 +167,7 @@ config DEFAULT_SECURITY
 	default "smack" if DEFAULT_SECURITY_SMACK
 	default "tomoyo" if DEFAULT_SECURITY_TOMOYO
 	default "apparmor" if DEFAULT_SECURITY_APPARMOR
+	default "caitsith" if DEFAULT_SECURITY_CAITSITH
 	default "" if DEFAULT_SECURITY_DAC
 
 endmenu
diff --git a/security/Makefile b/security/Makefile
index f2d71cd..3745af0 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO)        += tomoyo
 subdir-$(CONFIG_SECURITY_APPARMOR)	+= apparmor
 subdir-$(CONFIG_SECURITY_YAMA)		+= yama
 subdir-$(CONFIG_SECURITY_LOADPIN)	+= loadpin
+subdir-$(CONFIG_SECURITY_CAITSITH)	+= caitsith
 
 # always enable default capabilities
 obj-y					+= commoncap.o
@@ -25,6 +26,7 @@ obj-$(CONFIG_SECURITY_APPARMOR)		+= apparmor/
 obj-$(CONFIG_SECURITY_YAMA)		+= yama/
 obj-$(CONFIG_SECURITY_LOADPIN)		+= loadpin/
 obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
+obj-$(CONFIG_SECURITY_CAITSITH)		+= caitsith/
 
 # Object integrity file lists
 subdir-$(CONFIG_INTEGRITY)		+= integrity
diff --git a/security/caitsith/Kconfig b/security/caitsith/Kconfig
new file mode 100644
index 0000000..005cdb1
--- /dev/null
+++ b/security/caitsith/Kconfig
@@ -0,0 +1,48 @@
+config SECURITY_CAITSITH
+	bool "CaitSith Support"
+	depends on SECURITY
+	select SECURITYFS
+	select SRCU
+	default n
+	help
+	  This selects CaitSith, check list based access control.
+	  Required userspace tools and further information may be
+	  found at <https://caitsith.osdn.jp/>.
+	  If you are unsure how to answer this question, answer N.
+
+config SECURITY_CAITSITH_OMIT_USERSPACE_LOADER
+	bool "Activate without calling userspace policy loader."
+	default n
+	depends on SECURITY_CAITSITH
+	---help---
+	  Say Y here if you want to activate access control as soon as built-in
+	  policy was loaded. This option will be useful for systems where
+	  operations which can lead to the hijacking of the boot sequence are
+	  needed before loading the policy. For example, you can activate
+	  immediately after loading the fixed part of policy which will allow
+	  only operations needed for mounting a partition which contains the
+	  variant part of policy and verifying (e.g. running GPG check) and
+	  loading the variant part of policy. Since you can start using
+	  enforcing mode from the beginning, you can reduce the possibility of
+	  hijacking the boot sequence.
+
+config SECURITY_CAITSITH_POLICY_LOADER
+	string "Location of userspace policy loader"
+	default "/sbin/caitsith-init"
+	depends on SECURITY_CAITSITH
+	depends on !SECURITY_CAITSITH_OMIT_USERSPACE_LOADER
+	---help---
+	  This is the default pathname of policy loader which is called before
+	  activation. You can override this setting via CS_loader= kernel
+	  command line option.
+
+config SECURITY_CAITSITH_ACTIVATION_TRIGGER
+	string "Trigger for calling userspace policy loader"
+	default "/sbin/init"
+	depends on SECURITY_CAITSITH
+	depends on !SECURITY_CAITSITH_OMIT_USERSPACE_LOADER
+	---help---
+	  This is the default pathname of activation trigger. You can override
+	  this setting via CS_trigger= kernel command line option.
+	  For example, if you pass init=/usr/lib/systemd/systemd option, you
+	  may want to also pass CS_trigger=/usr/lib/systemd/systemd option.
diff --git a/security/caitsith/Makefile b/security/caitsith/Makefile
new file mode 100644
index 0000000..1f0b83f
--- /dev/null
+++ b/security/caitsith/Makefile
@@ -0,0 +1,15 @@
+obj-y += permission.o gc.o policy_io.o realpath.o lsm.o load_policy.o
+
+$(obj)/policy/policy.conf:
+	@mkdir -p $(obj)/policy/
+	@echo Creating an empty policy/policy.conf
+	@touch $@
+
+$(obj)/builtin-policy.h: $(obj)/policy/policy.conf
+	@echo Generating built-in policy for CaitSith.
+	@echo "static char cs_builtin_policy[] __initdata =" > $@.tmp
+	@sed -e 's/\\/\\134/g' -e 's/"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $(obj)/policy/policy.conf >> $@.tmp
+	@echo "\"\";" >> $@.tmp
+	@mv $@.tmp $@
+
+$(obj)/policy_io.o: $(obj)/builtin-policy.h
-- 
1.8.3.1