diff options
author | James Morris <jmorris@namei.org> | 2017-02-14 16:17:24 +0300 |
---|---|---|
committer | James Morris <james.l.morris@oracle.com> | 2017-03-06 03:00:12 +0300 |
commit | dd0859dccbe291cf8179a96390f5c0e45cb9af1d (patch) | |
tree | e7a2b67dfdb2beaa07d42a314eb142289599d381 /security/Kconfig | |
parent | 84e6885e9e6a818d1ca1eabb9b720b357ab07a8b (diff) | |
download | linux-dd0859dccbe291cf8179a96390f5c0e45cb9af1d.tar.xz |
security: introduce CONFIG_SECURITY_WRITABLE_HOOKS
Subsequent patches will add RO hardening to LSM hooks, however, SELinux
still needs to be able to perform runtime disablement after init to handle
architectures where init-time disablement via boot parameters is not feasible.
Introduce a new kernel configuration parameter CONFIG_SECURITY_WRITABLE_HOOKS,
and a helper macro __lsm_ro_after_init, to handle this case.
Signed-off-by: James Morris <james.l.morris@oracle.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'security/Kconfig')
-rw-r--r-- | security/Kconfig | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/security/Kconfig b/security/Kconfig index d900f47eaa68..3ff1bf91080e 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -31,6 +31,11 @@ config SECURITY If you are unsure how to answer this question, answer N. +config SECURITY_WRITABLE_HOOKS + depends on SECURITY + bool + default n + config SECURITYFS bool "Enable the securityfs filesystem" help |