Off SMACK, TOMOYO and AppArmor LSM modules by default

0001-security-off-odd-LSM-by-default.patch

@@ -0,0 +1,127 @@
+From 733d892580d0fa85a7cca2e1abd650ef0b5c78b4 Mon Sep 17 00:00:00 2001
+From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+Date: Thu, 25 Apr 2024 20:18:39 +0300
+Subject: [PATCH] security: off odd LSM by default
+
+Most ditros just do not enable not used LSM modules, but we have them enabled.
+They may become useful.
+
+However, there is a side effect, described in https://forum.rosalinux.ru/viewtopic.php?f=40&t=11089 and OTRS#20240403004357:
+security/smack/smack_netfilter.c adds a Netfilter (firewall) hook with priority=-225 (NF_IP_PRI_SELINUX_FIRST).
+When system is booted without "selinux=0" cmdline:
+srv1 ~ # netlabelctl map list
+domain:DEFAULT,UNLABELED
+but with "selinux=0":
+srv2 ~ # netlabelctl map list
+domain:"_",UNLABELED,4 domain:DEFAULT,CIPSOv4,3 domain:DEFAULT,UNLABELED,6
+
+Also, odd errors are sometimes printed:
+$ mv 0001-security-off-odd-LSM-by-default.patch /mnt/dev/rosa-pkgs/kernel-6.6 -v
+mv: setting attribute 'security.SMACK64' for 'security.SMACK64': Operation not permitted
+
+Added code for SMACK and TOMOYO is based on AppArmor.
+---
+ security/apparmor/lsm.c    |  2 +-
+ security/smack/smack.h     |  2 +-
+ security/smack/smack_lsm.c | 18 ++++++++++++++++--
+ security/tomoyo/tomoyo.c   | 15 ++++++++++++++-
+ 4 files changed, 32 insertions(+), 5 deletions(-)
+
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 366cdfd6a..42846cb93 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -1461,7 +1461,7 @@ static const struct kernel_param_ops param_ops_aaintbool = {
+ 	.get = param_get_aaintbool
+ };
+ /* Boot time disable flag */
+-static int apparmor_enabled __ro_after_init = 1;
++static int apparmor_enabled __ro_after_init = 0;
+ module_param_named(enabled, apparmor_enabled, aaintbool, 0444);
+ 
+ static int __init apparmor_enabled_setup(char *str)
+diff --git a/security/smack/smack.h b/security/smack/smack.h
+index 041688e5a..b204d2fa2 100644
+--- a/security/smack/smack.h
++++ b/security/smack/smack.h
+@@ -294,7 +294,7 @@ int smack_populate_secattr(struct smack_known *skp);
+ /*
+  * Shared data.
+  */
+-extern int smack_enabled __initdata;
++extern int smack_enabled;
+ extern int smack_cipso_direct;
+ extern int smack_cipso_mapped;
+ extern struct smack_known *smack_net_ambient;
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index e1e297deb..72827dcde 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -66,7 +66,21 @@ static DEFINE_MUTEX(smack_ipv6_lock);
+ static LIST_HEAD(smk_ipv6_port_list);
+ #endif
+ struct kmem_cache *smack_rule_cache;
+-int smack_enabled __initdata;
++
++/* Boot time disable flag */
++int smack_enabled __ro_after_init = 0;
++module_param_named(enabled, smack_enabled, int, 0444);
++
++static int __init smack_enabled_setup(char *str)
++{
++	unsigned long enabled;
++	int error = kstrtoul(str, 0, &enabled);
++	if (!error)
++		smack_enabled = enabled ? 1 : 0;
++	return 1;
++}
++
++__setup("smack=", smack_enabled_setup);
+ 
+ #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s}
+ static struct {
+@@ -5152,7 +5166,6 @@ static __init int smack_init(void)
+ 	 * Register with LSM
+ 	 */
+ 	security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack");
+-	smack_enabled = 1;
+ 
+ 	pr_info("Smack:  Initializing.\n");
+ #ifdef CONFIG_SECURITY_SMACK_NETFILTER
+@@ -5178,6 +5191,7 @@ static __init int smack_init(void)
+ DEFINE_LSM(smack) = {
+ 	.name = "smack",
+ 	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
++	.enabled = &smack_enabled,
+ 	.blobs = &smack_blob_sizes,
+ 	.init = smack_init,
+ };
+diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
+index 298d18275..3001e5f61 100644
+--- a/security/tomoyo/tomoyo.c
++++ b/security/tomoyo/tomoyo.c
+@@ -584,7 +584,20 @@ static struct security_hook_list tomoyo_hooks[] __ro_after_init = {
+ /* Lock for GC. */
+ DEFINE_SRCU(tomoyo_ss);
+ 
+-int tomoyo_enabled __ro_after_init = 1;
++/* Boot time disable flag */
++int tomoyo_enabled __ro_after_init = 0;
++module_param_named(enabled, tomoyo_enabled, int, 0444);
++
++static int __init tomoyo_enabled_setup(char *str)
++{
++	unsigned long enabled;
++	int error = kstrtoul(str, 0, &enabled);
++	if (!error)
++		tomoyo_enabled = enabled ? 1 : 0;
++	return 1;
++}
++
++__setup("tomoyo=", tomoyo_enabled_setup);
+ 
+ /**
+  * tomoyo_init - Register TOMOYO Linux as a LSM module.
+-- 
+2.40.1
+

kernel.spec

@@ -35,7 +35,7 @@
 %define sublevel 27
 
 # Release number. Increase this before a rebuild.
-%define rpmrel 2
+%define rpmrel 3
 %define fullrpmrel %{rpmrel}
 
 %define rpmtag %{disttag}
@@ -344,6 +344,8 @@ Patch207:	0207-kiosk-Implement-kiosk-module.patch
 
 # Allow to off modules signature check dynamically
 Patch306:	0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch
+# Off SMACK, TOMOYO and AppArmor LSM modules by default while having them enabled by CONFIG_*
+Patch307:	0001-security-off-odd-LSM-by-default.patch
 
 # Support sound on notebook Aquarius NS685U R11 (https://linux-hardware.org/?probe=339dc3db60)
 Patch0401: 0401-ASoC-es8316-Use-increased-GPIO-debounce-time.patch