[PATCH v3 1/1] NAX LSM: Add initial support
Randy Dunlap
rdunlap at infradead.org
Thu Aug 19 22:29:27 UTC 2021
Hi--
On 8/19/21 3:13 PM, Igor Zhbanov wrote:
> diff --git a/security/nax/Kconfig b/security/nax/Kconfig
> new file mode 100644
> index 000000000000..f0777cc38e17
> --- /dev/null
> +++ b/security/nax/Kconfig
> @@ -0,0 +1,114 @@
> +# SPDX-License-Identifier: GPL-2.0-only
> +config SECURITY_NAX
> + bool "NAX support"
> + depends on SECURITY
> + default n
'default n' is the default value and hence it is redundant.
We usually omit it.
> + help
> + This selects NAX (No Anonymous Execution), which extends DAC
> + support with additional system-wide security settings beyond
> + regular Linux discretionary access controls. Currently, the only
> + available behavior is restricting the execution of anonymous and
> + modified pages.
> +
> + The module can restrict either privileged or all processes,
> + depending on the settings. It is possible to configure action,
> + performed when the violation is detected (log, log + block,
> + log + kill).
> +
> + Further information can be found in
> + Documentation/admin-guide/LSM/NAX.rst.
> +
> + If you are unsure how to answer this question, answer N.
> +
> +choice
> + prompt "NAX violation action mode"
> + default SECURITY_NAX_MODE_LOG
> + depends on SECURITY_NAX
> + help
> + Select the NAX violation action mode.
> +
> + In the default permissive mode the violations are only logged
> + (if logging is not suppressed). In the enforcing mode the violations
> + are prohibited. And in the kill mode the process is terminated.
> +
> + The value can be overridden at boot time with the kernel command-line
> + parameter "nax_mode=" (0, 1, 2) or "kernel.nax.mode=" (0, 1, 2)
> + sysctl parameter (if the settings are not locked).
> +
> + config SECURITY_NAX_MODE_LOG
> + bool "Permissive mode"
> + help
> + In this mode violations are only logged (if logging is not
> + suppressed by the "kernel.nax.quiet" parameter). The
> + violating system call will not be prohibited.
> + config SECURITY_NAX_MODE_ENFORCING
> + bool "Enforcing mode"
> + help
> + In this mode violations are prohibited and logged (if
> + logging is not suppressed by the "kernel.nax.quiet"
> + parameter). The violating system call will return -EACCES
> + error.
> + config SECURITY_NAX_MODE_KILL
> + bool "Kill mode"
> + help
> + In this mode the violating process is terminated on the
> + first violation system call. The violation event is logged
> + (if logging is not suppressed by the "kernel.nax.quiet"
> + parameter).
> +endchoice
> +
> +config SECURITY_NAX_MODE
> + int
> + depends on SECURITY_NAX
> + default 0 if SECURITY_NAX_MODE_LOG
> + default 1 if SECURITY_NAX_MODE_ENFORCING
> + default 2 if SECURITY_NAX_MODE_KILL
> +
> +config SECURITY_NAX_CHECK_ALL
> + bool "Check all processes"
> + depends on SECURITY_NAX
> + help
> + If selected, NAX will check all processes. If not selected, NAX
> + will check only privileged processes (which is determined either
> + by having zero uid, euid, suid or fsuid; or by possessing
> + capabilities outside of allowed set).
> +
> + The value can also be overridden at boot time with the kernel
> + command-line parameter "nax_check_all=" (0, 1) or
> + "kernel.nax_check_all=" (0, 1) sysctl parameter (if the settings
kernel.nax.check_all ?
> + are not locked).
> +
> +config SECURITY_NAX_ALLOWED_CAPS
> + hex "Process capabilities ignored by NAX"
> + default 0x0
> + range 0x0 0xffffffffffff
Indent above line with tab + 2 spaces instead of all spaces.
> + depends on SECURITY_NAX
> + help
> + Hexadecimal number representing the set of capabilities
> + a non-root process can possess without being considered
> + "privileged" by NAX LSM.
> +
> + The value can be overridden at boot time with the command-line
> + parameter "nax_allowed_caps=" or "kernel.nax.allowed_caps=" sysctl
> + parameter (if the settings are not locked).
> +
> +config SECURITY_NAX_QUIET
> + bool "Silence NAX messages"
> + depends on SECURITY_NAX
> + help
> + If selected, NAX will not print violations.
> +
> + The value can be overridden at boot with the command-line
> + parameter "nax_quiet=" (0, 1) or "kernel.nax_quiet=" (0, 1) sysctl
kernel.nax.quiet
> + parameter (if the settings are not locked).
> +
> +config SECURITY_NAX_LOCKED
> + bool "Lock NAX settings"
> + depends on SECURITY_NAX
> + help
> + Pevent any update to the settings of the NAX LSM. This applies to
Prevent
> + both sysctl writes and the kernel command line.
> +
> + If not selected, it can be enabled at boot time with the kernel
> + command-line parameter "nax_locked=1" or "kernel.nax_locked=1"
kernel.nax.locked
> + sysctl parameter (if the settings are not locked).
--
~Randy
More information about the Linux-security-module-archive
mailing list