[PATCH 14/14] Activate the configuration and build of the TSEM LSM.

Casey Schaufler casey at schaufler-ca.com
Wed Feb 8 22:15:26 UTC 2023 

On 2/3/2023 9:09 PM, Dr. Greg wrote:
> Complete the implementation by integrating the LSM into the
> configuration and kernel build infrastructure.
>
> Signed-off-by: Greg Wettstein <greg at enjellic.com>
> ---
>  security/Kconfig       | 11 ++++++-----
>  security/Makefile      |  1 +
>  security/tsem/Kconfig  | 22 ++++++++++++++++++++++
>  security/tsem/Makefile |  2 ++
>  4 files changed, 31 insertions(+), 5 deletions(-)
>  create mode 100644 security/tsem/Kconfig
>  create mode 100644 security/tsem/Makefile
>
> diff --git a/security/Kconfig b/security/Kconfig
> index e6db09a779b7..98c538ad6790 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -207,6 +207,7 @@ source "security/yama/Kconfig"
>  source "security/safesetid/Kconfig"
>  source "security/lockdown/Kconfig"
>  source "security/landlock/Kconfig"
> +source "security/tsem/Kconfig"
>  
>  source "security/integrity/Kconfig"
>  
> @@ -246,11 +247,11 @@ endchoice
>  
>  config LSM
>  	string "Ordered list of enabled LSMs"
> -	default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
> -	default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
> -	default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
> -	default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
> -	default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
> +	default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf,tsem" 

Better check with the BPF team to see if they're OK with TSEM
following BPF in loading order.

> if DEFAULT_SECURITY_SMACK
> +	default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf,tsem" if DEFAULT_SECURITY_APPARMOR
> +	default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf,tsem" if DEFAULT_SECURITY_TOMOYO
> +	default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf,tsem" if DEFAULT_SECURITY_DAC
> +	default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf,tsem"
>  	help
>  	  A comma-separated list of LSMs, in initialization order.
>  	  Any LSMs left off this list will be ignored. This can be
> diff --git a/security/Makefile b/security/Makefile
> index 18121f8f85cd..11d93885c806 100644
> --- a/security/Makefile
> +++ b/security/Makefile
> @@ -24,6 +24,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown/
>  obj-$(CONFIG_CGROUPS)			+= device_cgroup.o
>  obj-$(CONFIG_BPF_LSM)			+= bpf/
>  obj-$(CONFIG_SECURITY_LANDLOCK)		+= landlock/
> +obj-$(CONFIG_SECURITY_TSEM)		+= tsem/
>  
>  # Object integrity file lists
>  obj-$(CONFIG_INTEGRITY)			+= integrity/
> diff --git a/security/tsem/Kconfig b/security/tsem/Kconfig
> new file mode 100644
> index 000000000000..f9199686844a
> --- /dev/null
> +++ b/security/tsem/Kconfig
> @@ -0,0 +1,22 @@
> +config SECURITY_TSEM
> +	bool "Trusted Security Event Modeling"
> +	depends on SECURITY
> +	depends on NET && INET
> +	select SECURITY_NETWORK
> +	select SECURITYFS
> +	select CRYPTO
> +	select CRYPTO_SHA256
> +	select CRYPTO_HASH_INFO
> +	select TCG_TPM if HAS_IOMEM && !UML
> +	select TCG_TIS if TCG_TPM && X86
> +	select TCG_CRB if TCG_TPM && ACPI
> +	default n
> +	help
> +	  This option selects support for Trusted Security Event
> +	  Modeling (TSEM).  TSEM implements the ability to model
> +	  the security state of either the system at large or in a
> +	  restricted namespace on the basis of the LSM security
> +	  events and attributes that occur in the scope of the model.
> +	  The model may be implemented either in the kernel proper
> +	  or exported to an external Trusted Modeling Agent (TMA).
> +	  If you are unsure how to answer this question, answer N.
> diff --git a/security/tsem/Makefile b/security/tsem/Makefile
> new file mode 100644
> index 000000000000..d43cf2ae2142
> --- /dev/null
> +++ b/security/tsem/Makefile
> @@ -0,0 +1,2 @@
> +obj-$(CONFIG_SECURITY_TSEM) := tsem.o model.o namespace.o map.o event.o fs.o \
> +	export.o trust.o

More information about the Linux-security-module-archive mailing list