diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2019-01-05 13:20:09 +0100 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2019-01-05 14:07:33 +0100 |
commit | abc8ed3fcae60ad2586307c854bdb21f993592f0 (patch) | |
tree | 1706dff326f8d83461962aba4c669ac07e593943 /pkgs/os-specific | |
parent | c68e8b05f005381ac1caf51bb28282b70242b77b (diff) |
hardened-config: clarify readonly LSM hooks config
SECURITY_WRITABLE_HOOKS is implicitly controlled by SECURITY_SELINUX_DISABLE; explicitly unsetting results in an error because the configfile builder fails to detect that it has in fact been unset (reporting it as an unused option). For now, leave WRITABLE_HOOKS as an "optional" config for documentation purposes.
Diffstat (limited to 'pkgs/os-specific')
-rw-r--r-- | pkgs/os-specific/linux/kernel/hardened-config.nix | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index a6a835c1fe9f8..13db3873e628b 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -52,15 +52,17 @@ ${optionalString (versionOlder version "4.11") '' DEBUG_SET_MODULE_RONX y ''} -# Mark LSM hooks read-only after init. Conflicts with SECURITY_SELINUX_DISABLE -# (disabling SELinux at runtime); hence, SELinux can only be disabled at boot -# via the selinux=0 boot parameter. +# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n +# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter +# implicitly marks LSM hooks read-only after init. +# +# SELinux can only be disabled at boot via selinux=0 +# +# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the +# config builder fails to detect that it has indeed been unset. ${optionalString (versionAtLeast version "4.12") '' SECURITY_SELINUX_DISABLE n -''} - -${optionalString ((versionAtLeast version "4.12") && (versionOlder version "4.17")) '' - SECURITY_WRITABLE_HOOKS n + SECURITY_WRITABLE_HOOKS? n ''} DEBUG_WX y # boot-time warning on RWX mappings |