From 345e0e679457d839bb2e23b5ed64947372d94fea Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Fri, 11 Aug 2017 23:25:30 +0200 Subject: [PATCH] hardened-config: enable read-only LSM hooks Implies that SELinux can no longer be disabled at runtime (only at boot time, via selinux=0). See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dd0859dccbe291cf8179a96390f5c0e45cb9af1d --- pkgs/os-specific/linux/kernel/hardened-config.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 579fb2947ec..5711779eb86 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -46,6 +46,14 @@ ${optionalString (versionOlder version "4.11") '' DEBUG_SET_MODULE_RONX y ''} +# Mark LSM hooks read-only after init. Conflicts with SECURITY_SELINUX_DISABLE +# (disabling SELinux at runtime); hence, SELinux can only be disabled at boot +# via the selinux=0 boot parameter. +${optionalString (versionAtLeast version "4.12") '' + SECURITY_SELINUX_DISABLE n + SECURITY_WRITABLE_HOOKS n +''} + DEBUG_WX y # boot-time warning on RWX mappings # Stricter /dev/mem