From 7404a4d3d5219bf68f75d211960e5675b7ac933e Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Thu, 25 Apr 2024 20:41:53 +0300 Subject: [PATCH] Off SMACK, TOMOYO and AppArmor LSM modules by default --- 0001-security-off-odd-LSM-by-default.patch | 127 +++++++++++++++++++++ kernel.spec | 4 +- 2 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 0001-security-off-odd-LSM-by-default.patch diff --git a/0001-security-off-odd-LSM-by-default.patch b/0001-security-off-odd-LSM-by-default.patch new file mode 100644 index 0000000..7d5ace3 --- /dev/null +++ b/0001-security-off-odd-LSM-by-default.patch @@ -0,0 +1,127 @@ +From 733d892580d0fa85a7cca2e1abd650ef0b5c78b4 Mon Sep 17 00:00:00 2001 +From: Mikhail Novosyolov +Date: Thu, 25 Apr 2024 20:18:39 +0300 +Subject: [PATCH] security: off odd LSM by default + +Most ditros just do not enable not used LSM modules, but we have them enabled. +They may become useful. + +However, there is a side effect, described in https://forum.rosalinux.ru/viewtopic.php?f=40&t=11089 and OTRS#20240403004357: +security/smack/smack_netfilter.c adds a Netfilter (firewall) hook with priority=-225 (NF_IP_PRI_SELINUX_FIRST). +When system is booted without "selinux=0" cmdline: +srv1 ~ # netlabelctl map list +domain:DEFAULT,UNLABELED +but with "selinux=0": +srv2 ~ # netlabelctl map list +domain:"_",UNLABELED,4 domain:DEFAULT,CIPSOv4,3 domain:DEFAULT,UNLABELED,6 + +Also, odd errors are sometimes printed: +$ mv 0001-security-off-odd-LSM-by-default.patch /mnt/dev/rosa-pkgs/kernel-6.6 -v +mv: setting attribute 'security.SMACK64' for 'security.SMACK64': Operation not permitted + +Added code for SMACK and TOMOYO is based on AppArmor. +--- + security/apparmor/lsm.c | 2 +- + security/smack/smack.h | 2 +- + security/smack/smack_lsm.c | 18 ++++++++++++++++-- + security/tomoyo/tomoyo.c | 15 ++++++++++++++- + 4 files changed, 32 insertions(+), 5 deletions(-) + +diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c +index 366cdfd6a..42846cb93 100644 +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c +@@ -1461,7 +1461,7 @@ static const struct kernel_param_ops param_ops_aaintbool = { + .get = param_get_aaintbool + }; + /* Boot time disable flag */ +-static int apparmor_enabled __ro_after_init = 1; ++static int apparmor_enabled __ro_after_init = 0; + module_param_named(enabled, apparmor_enabled, aaintbool, 0444); + + static int __init apparmor_enabled_setup(char *str) +diff --git a/security/smack/smack.h b/security/smack/smack.h +index 041688e5a..b204d2fa2 100644 +--- a/security/smack/smack.h ++++ b/security/smack/smack.h +@@ -294,7 +294,7 @@ int smack_populate_secattr(struct smack_known *skp); + /* + * Shared data. + */ +-extern int smack_enabled __initdata; ++extern int smack_enabled; + extern int smack_cipso_direct; + extern int smack_cipso_mapped; + extern struct smack_known *smack_net_ambient; +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index e1e297deb..72827dcde 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -66,7 +66,21 @@ static DEFINE_MUTEX(smack_ipv6_lock); + static LIST_HEAD(smk_ipv6_port_list); + #endif + struct kmem_cache *smack_rule_cache; +-int smack_enabled __initdata; ++ ++/* Boot time disable flag */ ++int smack_enabled __ro_after_init = 0; ++module_param_named(enabled, smack_enabled, int, 0444); ++ ++static int __init smack_enabled_setup(char *str) ++{ ++ unsigned long enabled; ++ int error = kstrtoul(str, 0, &enabled); ++ if (!error) ++ smack_enabled = enabled ? 1 : 0; ++ return 1; ++} ++ ++__setup("smack=", smack_enabled_setup); + + #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} + static struct { +@@ -5152,7 +5166,6 @@ static __init int smack_init(void) + * Register with LSM + */ + security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); +- smack_enabled = 1; + + pr_info("Smack: Initializing.\n"); + #ifdef CONFIG_SECURITY_SMACK_NETFILTER +@@ -5178,6 +5191,7 @@ static __init int smack_init(void) + DEFINE_LSM(smack) = { + .name = "smack", + .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, ++ .enabled = &smack_enabled, + .blobs = &smack_blob_sizes, + .init = smack_init, + }; +diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c +index 298d18275..3001e5f61 100644 +--- a/security/tomoyo/tomoyo.c ++++ b/security/tomoyo/tomoyo.c +@@ -584,7 +584,20 @@ static struct security_hook_list tomoyo_hooks[] __ro_after_init = { + /* Lock for GC. */ + DEFINE_SRCU(tomoyo_ss); + +-int tomoyo_enabled __ro_after_init = 1; ++/* Boot time disable flag */ ++int tomoyo_enabled __ro_after_init = 0; ++module_param_named(enabled, tomoyo_enabled, int, 0444); ++ ++static int __init tomoyo_enabled_setup(char *str) ++{ ++ unsigned long enabled; ++ int error = kstrtoul(str, 0, &enabled); ++ if (!error) ++ tomoyo_enabled = enabled ? 1 : 0; ++ return 1; ++} ++ ++__setup("tomoyo=", tomoyo_enabled_setup); + + /** + * tomoyo_init - Register TOMOYO Linux as a LSM module. +-- +2.40.1 + diff --git a/kernel.spec b/kernel.spec index 6b30f75..aa2a396 100644 --- a/kernel.spec +++ b/kernel.spec @@ -35,7 +35,7 @@ %define sublevel 27 # Release number. Increase this before a rebuild. -%define rpmrel 2 +%define rpmrel 3 %define fullrpmrel %{rpmrel} %define rpmtag %{disttag} @@ -344,6 +344,8 @@ Patch207: 0207-kiosk-Implement-kiosk-module.patch # Allow to off modules signature check dynamically Patch306: 0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch +# Off SMACK, TOMOYO and AppArmor LSM modules by default while having them enabled by CONFIG_* +Patch307: 0001-security-off-odd-LSM-by-default.patch # Support sound on notebook Aquarius NS685U R11 (https://linux-hardware.org/?probe=339dc3db60) Patch0401: 0401-ASoC-es8316-Use-increased-GPIO-debounce-time.patch