Skip to content

Commit

Permalink
Merge branch 'fixes-v5.1-a' of git://git.kernel.org/pub/scm/linux/ker…
Browse files Browse the repository at this point in the history
…nel/git/jmorris/linux-security

Pull security layer fixes from James Morris:
 "Yama and LSM config fixes"

* 'fixes-v5.1-a' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  LSM: Revive CONFIG_DEFAULT_SECURITY_* for "make oldconfig"
  Yama: mark local symbols as static
  • Loading branch information
torvalds committed Mar 30, 2019
2 parents 922c010 + 2623c4f commit 1219530
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 4 deletions.
38 changes: 38 additions & 0 deletions security/Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -239,8 +239,46 @@ source "security/safesetid/Kconfig"

source "security/integrity/Kconfig"

choice
prompt "First legacy 'major LSM' to be initialized"
default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
default DEFAULT_SECURITY_DAC

help
This choice is there only for converting CONFIG_DEFAULT_SECURITY
in old kernel configs to CONFIG_LSM in new kernel configs. Don't
change this choice unless you are creating a fresh kernel config,
for this choice will be ignored after CONFIG_LSM has been set.

Selects the legacy "major security module" that will be
initialized first. Overridden by non-default CONFIG_LSM.

config DEFAULT_SECURITY_SELINUX
bool "SELinux" if SECURITY_SELINUX=y

config DEFAULT_SECURITY_SMACK
bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y

config DEFAULT_SECURITY_TOMOYO
bool "TOMOYO" if SECURITY_TOMOYO=y

config DEFAULT_SECURITY_APPARMOR
bool "AppArmor" if SECURITY_APPARMOR=y

config DEFAULT_SECURITY_DAC
bool "Unix Discretionary Access Controls"

endchoice

config LSM
string "Ordered list of enabled LSMs"
default "yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK
default "yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR
default "yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO
default "yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC
default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
help
A comma-separated list of LSMs, in initialization order.
Expand Down
8 changes: 4 additions & 4 deletions security/yama/yama_lsm.c
Original file line number Diff line number Diff line change
Expand Up @@ -206,7 +206,7 @@ static void yama_ptracer_del(struct task_struct *tracer,
* yama_task_free - check for task_pid to remove from exception list
* @task: task being removed
*/
void yama_task_free(struct task_struct *task)
static void yama_task_free(struct task_struct *task)
{
yama_ptracer_del(task, task);
}
Expand All @@ -222,7 +222,7 @@ void yama_task_free(struct task_struct *task)
* Return 0 on success, -ve on error. -ENOSYS is returned when Yama
* does not handle the given option.
*/
int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
static int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5)
{
int rc = -ENOSYS;
Expand Down Expand Up @@ -401,7 +401,7 @@ static int yama_ptrace_access_check(struct task_struct *child,
*
* Returns 0 if following the ptrace is allowed, -ve on error.
*/
int yama_ptrace_traceme(struct task_struct *parent)
static int yama_ptrace_traceme(struct task_struct *parent)
{
int rc = 0;

Expand Down Expand Up @@ -452,7 +452,7 @@ static int yama_dointvec_minmax(struct ctl_table *table, int write,
static int zero;
static int max_scope = YAMA_SCOPE_NO_ATTACH;

struct ctl_path yama_sysctl_path[] = {
static struct ctl_path yama_sysctl_path[] = {
{ .procname = "kernel", },
{ .procname = "yama", },
{ }
Expand Down

0 comments on commit 1219530

Please sign in to comment.