@@ -209,6 +209,7 @@ source "security/lockdown/Kconfig"
source "security/landlock/Kconfig"
source "security/integrity/Kconfig"
+source "security/caitsith/Kconfig"
choice
prompt "First legacy 'major LSM' to be initialized"
@@ -24,6 +24,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
obj-$(CONFIG_CGROUPS) += device_cgroup.o
obj-$(CONFIG_BPF_LSM) += bpf/
obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
+obj-$(CONFIG_SECURITY_CAITSITH) += caitsith/
# Object integrity file lists
obj-$(CONFIG_INTEGRITY) += integrity/
new file mode 100644
@@ -0,0 +1,112 @@
+config SECURITY_CAITSITH
+ tristate "CaitSith support"
+ default n
+ help
+ Say Y or M here to support CaitSith.
+ https://caitsith.osdn.jp/
+
+config SECURITY_CAITSITH_OMIT_USERSPACE_LOADER
+ bool "Activate without calling userspace policy loader."
+ default n
+ depends on SECURITY_CAITSITH
+ help
+ Say Y here if you want to activate access control as soon as built-in
+ policy was loaded. This option will be useful for systems where
+ operations which can lead to the hijacking of the boot sequence are
+ needed before loading the policy. For example, you can activate
+ immediately after loading the fixed part of policy which will allow
+ only operations needed for mounting a partition which contains the
+ variant part of policy and verifying (e.g. running GPG check) and
+ loading the variant part of policy. Since you can start using
+ enforcing mode from the beginning, you can reduce the possibility of
+ hijacking the boot sequence.
+
+ If you say Y to both "Compile as loadable kernel module" option and
+ "Activate without calling userspace policy loader." option, be sure
+ to excplicitly load the kernel module from the userspace, for
+ the kernel will not call /sbin/caitsith-init when /sbin/init starts.
+
+config SECURITY_CAITSITH_POLICY_LOADER
+ string "Location of userspace policy loader"
+ default "/sbin/caitsith-init"
+ depends on SECURITY_CAITSITH
+ depends on !SECURITY_CAITSITH_OMIT_USERSPACE_LOADER
+ help
+ This is the default pathname of policy loader which is called before
+ activation. You can override this setting via CS_loader= kernel
+ command line option.
+
+config SECURITY_CAITSITH_ACTIVATION_TRIGGER
+ string "Trigger for calling userspace policy loader"
+ default "/sbin/init"
+ depends on SECURITY_CAITSITH
+ depends on !SECURITY_CAITSITH_OMIT_USERSPACE_LOADER
+ help
+ This is the default pathname of activation trigger.
+ You can override this setting via CS_trigger= kernel command line
+ option. For example, if you pass init=/bin/systemd option, you may
+ want to also pass CS_trigger=/bin/systemd option.
+
+ Say Y here if you want to enable only specific functionality in order
+ to reduce object file size.
+
+config SECURITY_CAITSITH_READDIR
+ bool "Enable readdir operation restriction."
+ default y
+ depends on SECURITY_CAITSITH
+ help
+ Say Y here if you want to enable restriction of opening directories
+ for reading. Reading directory entries is a commonly requested
+ operation and damage caused by not restricting it might be acceptable
+ for you.
+
+config SECURITY_CAITSITH_GETATTR
+ bool "Enable getattr operation restriction."
+ default y
+ depends on SECURITY_CAITSITH
+ help
+ Say Y here if you want to enable restriction of getting information
+ of files. Getting file's information is a commonly requested
+ operation and damage caused by not restricting it might be acceptable
+ for you.
+
+config SECURITY_CAITSITH_NETWORK
+ bool "Enable socket operation restriction."
+ default y
+ depends on SECURITY_NETWORK
+ depends on SECURITY_CAITSITH
+ help
+ Say Y here if you want to enable restriction of INET/INET6/UNIX
+ socket's operations.
+
+config SECURITY_CAITSITH_CAPABILITY
+ bool "Enable non-POSIX capability operation restriction."
+ default y
+ depends on SECURITY_CAITSITH
+ help
+ Say Y here if you want to enable restriction of non-POSIX
+ capabilities.
+
+config SECURITY_CAITSITH_ENVIRON
+ bool "Enable environment variable names/values restriction."
+ default y
+ depends on SECURITY_CAITSITH
+ help
+ Say Y here if you want to enable restriction of environment variable
+ names/values passed upon program execution request.
+
+config SECURITY_CAITSITH_MANUAL_DOMAIN_TRANSITION
+ bool "Enable domain transition without program execution request."
+ default y
+ depends on SECURITY_CAITSITH
+ help
+ Say Y here if you want to enable domain transition without involving
+ program execution request.
+
+config SECURITY_CAITSITH_AUTO_DOMAIN_TRANSITION
+ bool "Enable automatic domain transition."
+ default y
+ depends on SECURITY_CAITSITH
+ help
+ Say Y here if you want to enable automatic domain transition when
+ conditions are met.
new file mode 100644
@@ -0,0 +1,11 @@
+caitsith-objs := permission.o gc.o policy_io.o realpath.o lsm.o
+obj-$(CONFIG_SECURITY_CAITSITH) += caitsith.o
+
+targets += builtin-policy.h
+quiet_cmd_policy = Generating built-in policy for CaitSith 0.2.
+cmd_policy = ( echo "static char cs_builtin_policy[] __initdata ="; sed -e 's/\\/\\134/g' -e 's/"/\\"/g' -e 's/\(.*\)/"\1\\n"/'; echo "\"\";" ) < $< > $@
+
+$(obj)/builtin-policy.h: $(wildcard $(obj)/policy.conf $(srctree)/$(src)/policy.conf) /dev/null FORCE
+ $(call if_changed,policy)
+
+$(obj)/policy_io.o: $(obj)/builtin-policy.h
The point of CaitSith is that you can choose CONFIG_SECURITY_CAITSITH=m . But please don't choose CONFIG_SECURITY_CAITSITH_OMIT_USERSPACE_LOADER=y unless you understood how to prepare built-in policy configuration. If you choose CONFIG_SECURITY_CAITSITH_OMIT_USERSPACE_LOADER=y without built-in policy configuration, the kernel will panic(). For more information, please follow instructions at "2.1.6. Install the userspace tools" and afterwards in https://caitsith.osdn.jp/index.html . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> --- security/Kconfig | 1 + security/Makefile | 1 + security/caitsith/Kconfig | 112 +++++++++++++++++++++++++++++++++++++ security/caitsith/Makefile | 11 ++++ 4 files changed, 125 insertions(+) create mode 100644 security/caitsith/Kconfig create mode 100644 security/caitsith/Makefile