security: Add a static lockdown policy LSM While existing LSMs can be extended to handle lockdown policy, distributions generally want to be able to apply a straightforward static policy. This patch adds a simple LSM that can be configured to reject either integrity or all lockdown queries, and can be configured at runtime (through securityfs), boot time (via a kernel parameter) or build time (via a kconfig option). Based on initial code by David Howells. Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Cc: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>

commit: 000d388ed3bbed745f366ce71b2bb7c2ee70f449 [log] [tgz]
author: Matthew Garrett <matthewgarrett@google.com> Mon Aug 19 17:17:39 2019 -0700
committer: James Morris <jmorris@namei.org> Mon Aug 19 21:54:15 2019 -0700
tree: 8df5d266713aa79f5009a515ec5db597a61aba30
parent: 9e47d31d6a57b5babaca36d42b0d11b6db6019b7 [diff] [blame]
diff --git a/security/Makefile b/security/Makefile
index c598b90..be1dd9d 100644
--- a/security/Makefile
+++ b/security/Makefile

@@ -11,6 +11,7 @@
 subdir-$(CONFIG_SECURITY_YAMA)		+= yama
 subdir-$(CONFIG_SECURITY_LOADPIN)	+= loadpin
 subdir-$(CONFIG_SECURITY_SAFESETID)    += safesetid
+subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown
 
 # always enable default capabilities
 obj-y					+= commoncap.o
@@ -27,6 +28,7 @@
 obj-$(CONFIG_SECURITY_YAMA)		+= yama/
 obj-$(CONFIG_SECURITY_LOADPIN)		+= loadpin/
 obj-$(CONFIG_SECURITY_SAFESETID)       += safesetid/
+obj-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown/
 obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
 
 # Object integrity file lists
commit	000d388ed3bbed745f366ce71b2bb7c2ee70f449	[log] [tgz]
author	Matthew Garrett <matthewgarrett@google.com>	Mon Aug 19 17:17:39 2019 -0700
committer	James Morris <jmorris@namei.org>	Mon Aug 19 21:54:15 2019 -0700
tree	8df5d266713aa79f5009a515ec5db597a61aba30
parent	9e47d31d6a57b5babaca36d42b0d11b6db6019b7 [diff] [blame]