[PATCH 10/10] CaitSith: Add Kconfig and Makefile files.

Tetsuo Handa penguin-kernel at I-love.SAKURA.ne.jp
Wed Nov 2 17:10:25 UTC 2022 

The point of CaitSith is that you can choose CONFIG_SECURITY_CAITSITH=m .
But please don't choose CONFIG_SECURITY_CAITSITH_OMIT_USERSPACE_LOADER=y
unless you understood how to prepare built-in policy configuration.
If you choose CONFIG_SECURITY_CAITSITH_OMIT_USERSPACE_LOADER=y without
built-in policy configuration, the kernel will panic().

For more information, please follow instructions at "2.1.6. Install the
userspace tools" and afterwards in https://caitsith.osdn.jp/index.html .

Signed-off-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
---
 security/Kconfig           |   1 +
 security/Makefile          |   1 +
 security/caitsith/Kconfig  | 112 +++++++++++++++++++++++++++++++++++++
 security/caitsith/Makefile |  11 ++++
 4 files changed, 125 insertions(+)
 create mode 100644 security/caitsith/Kconfig
 create mode 100644 security/caitsith/Makefile

diff --git a/security/Kconfig b/security/Kconfig
index e6db09a779b7..a2f3ba29d63b 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -209,6 +209,7 @@ source "security/lockdown/Kconfig"
 source "security/landlock/Kconfig"
 
 source "security/integrity/Kconfig"
+source "security/caitsith/Kconfig"
 
 choice
 	prompt "First legacy 'major LSM' to be initialized"
diff --git a/security/Makefile b/security/Makefile
index 18121f8f85cd..ef03c490e099 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -24,6 +24,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown/
 obj-$(CONFIG_CGROUPS)			+= device_cgroup.o
 obj-$(CONFIG_BPF_LSM)			+= bpf/
 obj-$(CONFIG_SECURITY_LANDLOCK)		+= landlock/
+obj-$(CONFIG_SECURITY_CAITSITH)		+= caitsith/
 
 # Object integrity file lists
 obj-$(CONFIG_INTEGRITY)			+= integrity/
diff --git a/security/caitsith/Kconfig b/security/caitsith/Kconfig
new file mode 100644
index 000000000000..0bae4f2d8b7f
--- /dev/null
+++ b/security/caitsith/Kconfig
@@ -0,0 +1,112 @@
+config SECURITY_CAITSITH
+	tristate "CaitSith support"
+	default n
+	help
+	  Say Y or M here to support CaitSith.
+	  https://caitsith.osdn.jp/
+
+config SECURITY_CAITSITH_OMIT_USERSPACE_LOADER
+	bool "Activate without calling userspace policy loader."
+	default n
+	depends on SECURITY_CAITSITH
+	help
+	  Say Y here if you want to activate access control as soon as built-in
+	  policy was loaded. This option will be useful for systems where
+	  operations which can lead to the hijacking of the boot sequence are
+	  needed before loading the policy. For example, you can activate
+	  immediately after loading the fixed part of policy which will allow
+	  only operations needed for mounting a partition which contains the
+	  variant part of policy and verifying (e.g. running GPG check) and
+	  loading the variant part of policy. Since you can start using
+	  enforcing mode from the beginning, you can reduce the possibility of
+	  hijacking the boot sequence.
+
+	  If you say Y to both "Compile as loadable kernel module" option and
+	  "Activate without calling userspace policy loader." option, be sure
+	  to excplicitly load the kernel module from the userspace, for
+	  the kernel will not call /sbin/caitsith-init when /sbin/init starts.
+
+config SECURITY_CAITSITH_POLICY_LOADER
+	string "Location of userspace policy loader"
+	default "/sbin/caitsith-init"
+	depends on SECURITY_CAITSITH
+	depends on !SECURITY_CAITSITH_OMIT_USERSPACE_LOADER
+	help
+	  This is the default pathname of policy loader which is called before
+	  activation. You can override this setting via CS_loader= kernel
+	  command line option.
+
+config SECURITY_CAITSITH_ACTIVATION_TRIGGER
+	string "Trigger for calling userspace policy loader"
+	default "/sbin/init"
+	depends on SECURITY_CAITSITH
+	depends on !SECURITY_CAITSITH_OMIT_USERSPACE_LOADER
+	help
+	  This is the default pathname of activation trigger.
+	  You can override this setting via CS_trigger= kernel command line
+	  option. For example, if you pass init=/bin/systemd option, you may
+	  want to also pass CS_trigger=/bin/systemd option.
+
+	  Say Y here if you want to enable only specific functionality in order
+	  to reduce object file size.
+
+config SECURITY_CAITSITH_READDIR
+	bool "Enable readdir operation restriction."
+	default y
+	depends on SECURITY_CAITSITH
+	help
+	  Say Y here if you want to enable restriction of opening directories
+	  for reading. Reading directory entries is a commonly requested
+	  operation and damage caused by not restricting it might be acceptable
+	  for you.
+
+config SECURITY_CAITSITH_GETATTR
+	bool "Enable getattr operation restriction."
+	default y
+	depends on SECURITY_CAITSITH
+	help
+	  Say Y here if you want to enable restriction of getting information
+	  of files. Getting file's information is a commonly requested
+	  operation and damage caused by not restricting it might be acceptable
+	  for you.
+
+config SECURITY_CAITSITH_NETWORK
+	bool "Enable socket operation restriction."
+	default y
+	depends on SECURITY_NETWORK
+	depends on SECURITY_CAITSITH
+	help
+	  Say Y here if you want to enable restriction of INET/INET6/UNIX
+	  socket's operations.
+
+config SECURITY_CAITSITH_CAPABILITY
+	bool "Enable non-POSIX capability operation restriction."
+	default y
+	depends on SECURITY_CAITSITH
+	help
+	  Say Y here if you want to enable restriction of non-POSIX
+	  capabilities.
+
+config SECURITY_CAITSITH_ENVIRON
+	bool "Enable environment variable names/values restriction."
+	default y
+	depends on SECURITY_CAITSITH
+	help
+	  Say Y here if you want to enable restriction of environment variable
+	  names/values passed upon program execution request.
+
+config SECURITY_CAITSITH_MANUAL_DOMAIN_TRANSITION
+	bool "Enable domain transition without program execution request."
+	default y
+	depends on SECURITY_CAITSITH
+	help
+	  Say Y here if you want to enable domain transition without involving
+	  program execution request.
+
+config SECURITY_CAITSITH_AUTO_DOMAIN_TRANSITION
+	bool "Enable automatic domain transition."
+	default y
+	depends on SECURITY_CAITSITH
+	help
+	  Say Y here if you want to enable automatic domain transition when
+	  conditions are met.
diff --git a/security/caitsith/Makefile b/security/caitsith/Makefile
new file mode 100644
index 000000000000..4fb86ed45df0
--- /dev/null
+++ b/security/caitsith/Makefile
@@ -0,0 +1,11 @@
+caitsith-objs := permission.o gc.o policy_io.o realpath.o lsm.o
+obj-$(CONFIG_SECURITY_CAITSITH) += caitsith.o
+
+targets += builtin-policy.h
+quiet_cmd_policy = Generating built-in policy for CaitSith 0.2.
+cmd_policy = ( echo "static char cs_builtin_policy[] __initdata ="; sed -e 's/\\/\\134/g' -e 's/"/\\"/g' -e 's/\(.*\)/"\1\\n"/'; echo "\"\";" ) < $< > $@
+
+$(obj)/builtin-policy.h: $(wildcard $(obj)/policy.conf $(srctree)/$(src)/policy.conf) /dev/null FORCE
+	$(call if_changed,policy)
+
+$(obj)/policy_io.o: $(obj)/builtin-policy.h
-- 
2.18.4

More information about the Linux-security-module-archive mailing list