security: introduce CONFIG_SECURITY_WRITABLE_HOOKS
authorJames Morris <jmorris@namei.org>
Tue, 14 Feb 2017 13:17:24 +0000 (00:17 +1100)
committerJames Morris <james.l.morris@oracle.com>
Mon, 6 Mar 2017 00:00:12 +0000 (11:00 +1100)
commitdd0859dccbe291cf8179a96390f5c0e45cb9af1d
treee7a2b67dfdb2beaa07d42a314eb142289599d381
parent84e6885e9e6a818d1ca1eabb9b720b357ab07a8b
security: introduce CONFIG_SECURITY_WRITABLE_HOOKS

Subsequent patches will add RO hardening to LSM hooks, however, SELinux
still needs to be able to perform runtime disablement after init to handle
architectures where init-time disablement via boot parameters is not feasible.

Introduce a new kernel configuration parameter CONFIG_SECURITY_WRITABLE_HOOKS,
and a helper macro __lsm_ro_after_init, to handle this case.

Signed-off-by: James Morris <james.l.morris@oracle.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Kees Cook <keescook@chromium.org>
include/linux/lsm_hooks.h
security/Kconfig
security/selinux/Kconfig