diff --git a/security/Kconfig b/security/Kconfig index cd3cc7da3a55d9..8fe3efc4bb8ffc 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -235,6 +235,7 @@ source "security/smack/Kconfig" source "security/tomoyo/Kconfig" source "security/apparmor/Kconfig" source "security/loadpin/Kconfig" +source "security/paulsm/Kconfig" source "security/yama/Kconfig" source "security/safesetid/Kconfig" source "security/lockdown/Kconfig" diff --git a/security/Makefile b/security/Makefile index 3baf435de5411b..fda594d4e4ef46 100644 --- a/security/Makefile +++ b/security/Makefile @@ -10,6 +10,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor subdir-$(CONFIG_SECURITY_YAMA) += yama subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin +subdir-$(CONFIG_SECURITY_PAULSM) += paulsm subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown subdir-$(CONFIG_BPF_LSM) += bpf @@ -28,6 +29,7 @@ obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ obj-$(CONFIG_SECURITY_YAMA) += yama/ obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/ +obj-$(CONFIG_SECURITY_PAULSM) += paulsm/ obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ obj-$(CONFIG_CGROUPS) += device_cgroup.o diff --git a/security/paulsm/Kconfig b/security/paulsm/Kconfig new file mode 100644 index 00000000000000..2433298c19f1e6 --- /dev/null +++ b/security/paulsm/Kconfig @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: GPL-2.0-only +config SECURITY_PAULSM + bool "Prevents any file that starts with `paul` to be deleted" + depends on SECURITY && BLOCK + help + Any hard link unlinking on files that starts with `paul` will be prevented, and an error message will be displayed. + +config SECURITY_PAULSM_ENFORCE + bool "Enforce paulsm at boot" + depends on SECURITY_PAULSM + help + If selected, paulsm will be enforced at boot. diff --git a/security/paulsm/Makefile b/security/paulsm/Makefile new file mode 100644 index 00000000000000..5e9555cfedcd33 --- /dev/null +++ b/security/paulsm/Makefile @@ -0,0 +1,2 @@ +# SPDX-License-Identifier: GPL-2.0-only +obj-$(CONFIG_SECURITY_PAULSM) += paulsm.o diff --git a/security/paulsm/paulsm.c b/security/paulsm/paulsm.c new file mode 100644 index 00000000000000..55a28288d75730 --- /dev/null +++ b/security/paulsm/paulsm.c @@ -0,0 +1,30 @@ +// SPDX-License-Identifier: GPL-2.0-only +#include +#include + +static int paul_inode_unlink(struct inode *dir, struct dentry *dentry) +{ + if (strncmp("paul", dentry->d_iname, 4) == 0) { + printk(KERN_ALERT "Paul's unlinking node alert: %s\n", + dentry->d_iname); + return 1; + } + return 0; +} + +static struct security_hook_list paulsm_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(inode_unlink, paul_inode_unlink), +}; + +static int __init paulsm_init(void) +{ + printk(KERN_ALERT "paulsm init"); + security_add_hooks(paulsm_hooks, ARRAY_SIZE(paulsm_hooks), "paulsm"); + return 0; +} + +DEFINE_LSM(paulsm) = { + .name = "paulsm", + .init = paulsm_init, +}; +