From abc8ed3fcae60ad2586307c854bdb21f993592f0 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Sat, 5 Jan 2019 13:20:09 +0100 Subject: [PATCH] hardened-config: clarify readonly LSM hooks config SECURITY_WRITABLE_HOOKS is implicitly controlled by SECURITY_SELINUX_DISABLE; explicitly unsetting results in an error because the configfile builder fails to detect that it has in fact been unset (reporting it as an unused option). For now, leave WRITABLE_HOOKS as an "optional" config for documentation purposes. --- .../os-specific/linux/kernel/hardened-config.nix | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index a6a835c1fe9..13db3873e62 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -52,15 +52,17 @@ ${optionalString (versionOlder version "4.11") '' DEBUG_SET_MODULE_RONX y ''} -# Mark LSM hooks read-only after init. Conflicts with SECURITY_SELINUX_DISABLE -# (disabling SELinux at runtime); hence, SELinux can only be disabled at boot -# via the selinux=0 boot parameter. +# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n +# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter +# implicitly marks LSM hooks read-only after init. +# +# SELinux can only be disabled at boot via selinux=0 +# +# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the +# config builder fails to detect that it has indeed been unset. ${optionalString (versionAtLeast version "4.12") '' SECURITY_SELINUX_DISABLE n -''} - -${optionalString ((versionAtLeast version "4.12") && (versionOlder version "4.17")) '' - SECURITY_WRITABLE_HOOKS n + SECURITY_WRITABLE_HOOKS? n ''} DEBUG_WX y # boot-time warning on RWX mappings