config: add KERNEL_LSM symbol

The LSM (Linux security mechanism) list is the successor of the now
legacy *major LSM*. Instead of defining a single security mechanism the
LSM symbol is a comma separated list of mechanisms to load.

Until recently OpenWrt would only support DAC (Unix discretionary access
controls) which don't require an additional entry in the LSM list. With
the newly introduced SELinux support the LSM needs to be extended else
only a manual modified Kernel cmdline (`security=selinux`) would
activate SELinux.

As the default OpenWrt Kernel config sets DAC as default security
mechanism, SELinux is stripped from the LSM list, even if
`KERNEL_DEFAULT_SECURITY_SELINUX` is activated. To allow SELinux without
a modified cmdline this commit sets a specific LSM list if
`KERNEL_SECURITY_SELINUX` is enabled.

The upstream Kconfig adds even more mechanisms
(smack,selinux,tomoyo,apparmor), but until they're ported to OpenWrt,
these can be ignored.

To compile SELinux Kernel support but disable it from loading, the
already present options `KERNEL_SECURITY_SELINUX_DISABLE` or
`KERNEL_SECURITY_SELINUX_BOOTPARAM` (with custom cmdline `selinux=0`)
can be used. Further it's possible to edit `/etc/selinux/config`.

Signed-off-by: Paul Spooren <mail@aparcar.org>
This commit is contained in:
Paul Spooren 2020-09-01 14:32:45 -10:00 committed by Daniel Golle
parent 45a81f7056
commit f922a3e00e

View File

@ -1133,18 +1133,10 @@ config KERNEL_SECURITY_SELINUX_DEVELOP
bool "NSA SELinux Development Support"
depends on KERNEL_SECURITY_SELINUX
choice
prompt "First legacy 'major LSM' to be initialized"
config KERNEL_LSM
string
default "lockdown,yama,loadpin,safesetid,integrity,selinux"
depends on KERNEL_SECURITY_SELINUX
default KERNEL_DEFAULT_SECURITY_SELINUX
config KERNEL_DEFAULT_SECURITY_SELINUX
bool "SELinux"
config KERNEL_DEFAULT_SECURITY_DAC
bool "Unix Discretionary Access Controls"
endchoice
config KERNEL_EXT4_FS_SECURITY
bool "Ext4 Security Labels"