forked from mirrors/linux
000d388ed3
While existing LSMs can be extended to handle lockdown policy, distributions generally want to be able to apply a straightforward static policy. This patch adds a simple LSM that can be configured to reject either integrity or all lockdown queries, and can be configured at runtime (through securityfs), boot time (via a kernel parameter) or build time (via a kconfig option). Based on initial code by David Howells. Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Cc: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
36 lines
1.2 KiB
Makefile
36 lines
1.2 KiB
Makefile
# SPDX-License-Identifier: GPL-2.0
|
|
#
|
|
# Makefile for the kernel security code
|
|
#
|
|
|
|
obj-$(CONFIG_KEYS) += keys/
|
|
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
|
|
subdir-$(CONFIG_SECURITY_SMACK) += smack
|
|
subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
|
|
subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
|
|
subdir-$(CONFIG_SECURITY_YAMA) += yama
|
|
subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
|
|
subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid
|
|
subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown
|
|
|
|
# always enable default capabilities
|
|
obj-y += commoncap.o
|
|
obj-$(CONFIG_MMU) += min_addr.o
|
|
|
|
# Object file lists
|
|
obj-$(CONFIG_SECURITY) += security.o
|
|
obj-$(CONFIG_SECURITYFS) += inode.o
|
|
obj-$(CONFIG_SECURITY_SELINUX) += selinux/
|
|
obj-$(CONFIG_SECURITY_SMACK) += smack/
|
|
obj-$(CONFIG_AUDIT) += lsm_audit.o
|
|
obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/
|
|
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
|
|
obj-$(CONFIG_SECURITY_YAMA) += yama/
|
|
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
|
|
obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/
|
|
obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
|
|
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
|
|
|
|
# Object integrity file lists
|
|
subdir-$(CONFIG_INTEGRITY) += integrity
|
|
obj-$(CONFIG_INTEGRITY) += integrity/
|