As far as I can tell, this has never defaulted to on upstream, and our
common kernel configuration doesn't turn it on, so the attack surface
reduction here is somewhat homeopathic.
Remove the "version" parameter in order to make it more widely
available.
Starts making some kernel configuration helpers available.
The intent is to be able to better build and check the linux kernel
configuration.
The purpose of this LSM is to allow processes to drop to a less privileged
user id without having to grant them full CAP_SETUID (or use file caps).
The LSM allows configuring a whitelist policy of permitted from:to uid
transitions. The policy is enforced upon calls to setuid(2) and related
syscalls.
Policies are configured through securityfs by writing to
- safesetid/add_whitelist_policy ; and
- safesetid/flush_whitelist_policies
A process attempting a transition not permitted by current policy is killed
(to avoid accidentally running with higher privileges than intended).
A uid that has a configured policy is prevented from obtaining auxiliary
setuid privileges (e.g., setting up user namespaces).
See also: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html
This reverts commit c68e8b05f0.
RANDSTRUCT currently fails to work with out-of-tree modules, as
evinced by
c68e8b05f0 (commitcomment-31850284)
and https://github.com/NixOS/nixpkgs/issues/53522.
Specifically, loading out-of-tree modules results in modsym version
mismatches, as in
spl: version magic '4.20.0 SMP mod_unload modversions RANDSTRUCT_PLUGIN
from the issue above.
A working hypothesis is that the randstruct seed is not carried over when
building out-of-tree modules but more investigation is needed here.
Closes https://github.com/NixOS/nixpkgs/issues/53522
This likely never worked; MODIFY_LDT_SYSCALL depends on EXPERT; enabling
EXPERT however seems to introduce quite a few changes that would need to be
properly vetted.
The version guard is unnecessary, however, as this config has been supported
since 4.3.
SECURITY_WRITABLE_HOOKS is implicitly controlled by SECURITY_SELINUX_DISABLE;
explicitly unsetting results in an error because the configfile builder fails
to detect that it has in fact been unset (reporting it as an unused option).
For now, leave WRITABLE_HOOKS as an "optional" config for documentation
purposes.
Note
- the kernel config parser ignores "# foo is unset" comments so they
have no effect; disabling kernel modules would break *everything* and so
is ill-suited for a general-purpose kernel anyway --- the hardened nixos
profile provides a more flexible solution
- removed some overlap with the common config (SECCOMP is *required* by systemd;
YAMA is enabled by default).
- MODIFY_LDT_SYSCALL is guarded by EXPERT on vanilla so setting it to y breaks
the build; fix by making it optional
- restored some original comments which I feel are clearer
