[PATCH 8/8] CaitSith: Add Kconfig and Makefile

From: Tetsuo Handa
Date: Fri Oct 21 2016 - 08:51:03 EST


CaitSith uses LSM hooks and securityfs support. For now, CaitSith is not
using security blobs (i.e. "void *security" field in data structures)
so that you can enable CaitSith using Multiple Concurrent LSMs.

Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
---
security/Kconfig | 6 ++++++
security/Makefile | 2 ++
security/caitsith/Kconfig | 48 ++++++++++++++++++++++++++++++++++++++++++++++
security/caitsith/Makefile | 15 +++++++++++++++
4 files changed, 71 insertions(+)
create mode 100644 security/caitsith/Kconfig
create mode 100644 security/caitsith/Makefile

diff --git a/security/Kconfig b/security/Kconfig
index 176758c..ab5b634 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -124,6 +124,7 @@ source security/tomoyo/Kconfig
source security/apparmor/Kconfig
source security/loadpin/Kconfig
source security/yama/Kconfig
+source security/caitsith/Kconfig

source security/integrity/Kconfig

@@ -133,6 +134,7 @@ choice
default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
+ default DEFAULT_SECURITY_CAITSITH if SECURITY_CAITSITH
default DEFAULT_SECURITY_DAC

help
@@ -151,6 +153,9 @@ choice
config DEFAULT_SECURITY_APPARMOR
bool "AppArmor" if SECURITY_APPARMOR=y

+ config DEFAULT_SECURITY_CAITSITH
+ bool "CaitSith" if SECURITY_CAITSITH=y
+
config DEFAULT_SECURITY_DAC
bool "Unix Discretionary Access Controls"

@@ -162,6 +167,7 @@ config DEFAULT_SECURITY
default "smack" if DEFAULT_SECURITY_SMACK
default "tomoyo" if DEFAULT_SECURITY_TOMOYO
default "apparmor" if DEFAULT_SECURITY_APPARMOR
+ default "caitsith" if DEFAULT_SECURITY_CAITSITH
default "" if DEFAULT_SECURITY_DAC

endmenu
diff --git a/security/Makefile b/security/Makefile
index f2d71cd..3745af0 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
subdir-$(CONFIG_SECURITY_YAMA) += yama
subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
+subdir-$(CONFIG_SECURITY_CAITSITH) += caitsith

# always enable default capabilities
obj-y += commoncap.o
@@ -25,6 +26,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
obj-$(CONFIG_SECURITY_YAMA) += yama/
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
+obj-$(CONFIG_SECURITY_CAITSITH) += caitsith/

# Object integrity file lists
subdir-$(CONFIG_INTEGRITY) += integrity
diff --git a/security/caitsith/Kconfig b/security/caitsith/Kconfig
new file mode 100644
index 0000000..005cdb1
--- /dev/null
+++ b/security/caitsith/Kconfig
@@ -0,0 +1,48 @@
+config SECURITY_CAITSITH
+ bool "CaitSith Support"
+ depends on SECURITY
+ select SECURITYFS
+ select SRCU
+ default n
+ help
+ This selects CaitSith, check list based access control.
+ Required userspace tools and further information may be
+ found at <https://caitsith.osdn.jp/>.
+ If you are unsure how to answer this question, answer N.
+
+config SECURITY_CAITSITH_OMIT_USERSPACE_LOADER
+ bool "Activate without calling userspace policy loader."
+ default n
+ depends on SECURITY_CAITSITH
+ ---help---
+ Say Y here if you want to activate access control as soon as built-in
+ policy was loaded. This option will be useful for systems where
+ operations which can lead to the hijacking of the boot sequence are
+ needed before loading the policy. For example, you can activate
+ immediately after loading the fixed part of policy which will allow
+ only operations needed for mounting a partition which contains the
+ variant part of policy and verifying (e.g. running GPG check) and
+ loading the variant part of policy. Since you can start using
+ enforcing mode from the beginning, you can reduce the possibility of
+ hijacking the boot sequence.
+
+config SECURITY_CAITSITH_POLICY_LOADER
+ string "Location of userspace policy loader"
+ default "/sbin/caitsith-init"
+ depends on SECURITY_CAITSITH
+ depends on !SECURITY_CAITSITH_OMIT_USERSPACE_LOADER
+ ---help---
+ This is the default pathname of policy loader which is called before
+ activation. You can override this setting via CS_loader= kernel
+ command line option.
+
+config SECURITY_CAITSITH_ACTIVATION_TRIGGER
+ string "Trigger for calling userspace policy loader"
+ default "/sbin/init"
+ depends on SECURITY_CAITSITH
+ depends on !SECURITY_CAITSITH_OMIT_USERSPACE_LOADER
+ ---help---
+ This is the default pathname of activation trigger. You can override
+ this setting via CS_trigger= kernel command line option.
+ For example, if you pass init=/usr/lib/systemd/systemd option, you
+ may want to also pass CS_trigger=/usr/lib/systemd/systemd option.
diff --git a/security/caitsith/Makefile b/security/caitsith/Makefile
new file mode 100644
index 0000000..1f0b83f
--- /dev/null
+++ b/security/caitsith/Makefile
@@ -0,0 +1,15 @@
+obj-y += permission.o gc.o policy_io.o realpath.o lsm.o load_policy.o
+
+$(obj)/policy/policy.conf:
+ @mkdir -p $(obj)/policy/
+ @echo Creating an empty policy/policy.conf
+ @touch $@
+
+$(obj)/builtin-policy.h: $(obj)/policy/policy.conf
+ @echo Generating built-in policy for CaitSith.
+ @echo "static char cs_builtin_policy[] __initdata =" > $@.tmp
+ @sed -e 's/\\/\\134/g' -e 's/"/\\"/g' -e 's/\(.*\)/"\1\\n"/' < $(obj)/policy/policy.conf >> $@.tmp
+ @echo "\"\";" >> $@.tmp
+ @mv $@.tmp $@
+
+$(obj)/policy_io.o: $(obj)/builtin-policy.h
--
1.8.3.1