[openwrt/openwrt] config: add KERNEL_LSM symbol

LEDE Commits lede-commits at lists.infradead.org
Thu Sep 3 09:14:50 EDT 2020


dangole pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/f922a3e00e0145be9c158de60bef255fe2cb65a1

commit f922a3e00e0145be9c158de60bef255fe2cb65a1
Author: Paul Spooren <mail at aparcar.org>
AuthorDate: Tue Sep 1 14:32:45 2020 -1000

    config: add KERNEL_LSM symbol
    
    The LSM (Linux security mechanism) list is the successor of the now
    legacy *major LSM*. Instead of defining a single security mechanism the
    LSM symbol is a comma separated list of mechanisms to load.
    
    Until recently OpenWrt would only support DAC (Unix discretionary access
    controls) which don't require an additional entry in the LSM list. With
    the newly introduced SELinux support the LSM needs to be extended else
    only a manual modified Kernel cmdline (`security=selinux`) would
    activate SELinux.
    
    As the default OpenWrt Kernel config sets DAC as default security
    mechanism, SELinux is stripped from the LSM list, even if
    `KERNEL_DEFAULT_SECURITY_SELINUX` is activated. To allow SELinux without
    a modified cmdline this commit sets a specific LSM list if
    `KERNEL_SECURITY_SELINUX` is enabled.
    
    The upstream Kconfig adds even more mechanisms
    (smack,selinux,tomoyo,apparmor), but until they're ported to OpenWrt,
    these can be ignored.
    
    To compile SELinux Kernel support but disable it from loading, the
    already present options `KERNEL_SECURITY_SELINUX_DISABLE` or
    `KERNEL_SECURITY_SELINUX_BOOTPARAM` (with custom cmdline `selinux=0`)
    can be used. Further it's possible to edit `/etc/selinux/config`.
    
    Signed-off-by: Paul Spooren <mail at aparcar.org>
---
 config/Config-kernel.in | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/config/Config-kernel.in b/config/Config-kernel.in
index 492c762678..32383dadab 100644
--- a/config/Config-kernel.in
+++ b/config/Config-kernel.in
@@ -1133,18 +1133,10 @@ config KERNEL_SECURITY_SELINUX_DEVELOP
 	bool "NSA SELinux Development Support"
 	depends on KERNEL_SECURITY_SELINUX
 
-choice
-	prompt "First legacy 'major LSM' to be initialized"
+config KERNEL_LSM
+	string
+	default "lockdown,yama,loadpin,safesetid,integrity,selinux"
 	depends on KERNEL_SECURITY_SELINUX
-	default KERNEL_DEFAULT_SECURITY_SELINUX
-
-	config KERNEL_DEFAULT_SECURITY_SELINUX
-		bool "SELinux"
-
-	config KERNEL_DEFAULT_SECURITY_DAC
-		bool "Unix Discretionary Access Controls"
-
-endchoice
 
 config KERNEL_EXT4_FS_SECURITY
 	bool "Ext4 Security Labels"



More information about the lede-commits mailing list