security: introduce CONFIG_SECURITY_WRITABLE_HOOKS Subsequent patches will add RO hardening to LSM hooks, however, SELinux still needs to be able to perform runtime disablement after init to handle architectures where init-time disablement via boot parameters is not feasible. Introduce a new kernel configuration parameter CONFIG_SECURITY_WRITABLE_HOOKS, and a helper macro __lsm_ro_after_init, to handle this case. Signed-off-by: James Morris <james.l.morris@oracle.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Kees Cook <keescook@chromium.org>

commit: dd0859dccbe291cf8179a96390f5c0e45cb9af1d [log] [tgz]
author: James Morris <jmorris@namei.org> Wed Feb 15 00:17:24 2017 +1100
committer: James Morris <james.l.morris@oracle.com> Mon Mar 06 11:00:12 2017 +1100
tree: e7a2b67dfdb2beaa07d42a314eb142289599d381
parent: 84e6885e9e6a818d1ca1eabb9b720b357ab07a8b [diff] [blame]
diff --git a/security/Kconfig b/security/Kconfig
index d900f47..3ff1bf9 100644
--- a/security/Kconfig
+++ b/security/Kconfig

@@ -31,6 +31,11 @@
 
 	  If you are unsure how to answer this question, answer N.
 
+config SECURITY_WRITABLE_HOOKS
+	depends on SECURITY
+	bool
+	default n
+
 config SECURITYFS
 	bool "Enable the securityfs filesystem"
 	help
commit	dd0859dccbe291cf8179a96390f5c0e45cb9af1d	[log] [tgz]
author	James Morris <jmorris@namei.org>	Wed Feb 15 00:17:24 2017 +1100
committer	James Morris <james.l.morris@oracle.com>	Mon Mar 06 11:00:12 2017 +1100
tree	e7a2b67dfdb2beaa07d42a314eb142289599d381
parent	84e6885e9e6a818d1ca1eabb9b720b357ab07a8b [diff] [blame]