[RFC PATCH] security: add an interface to lookup the lockdown reason

Stephen Smalley sds at tycho.nsa.gov
Tue Dec 10 15:45:19 UTC 2019


On 12/10/19 10:04 AM, Paul Moore wrote:
> On Tue, Dec 10, 2019 at 9:59 AM Stephen Smalley <sds at tycho.nsa.gov> wrote:
>> On 12/9/19 9:28 PM, Paul Moore wrote:
>>> With CONFIG_AUDIT enabled but CONFIG_SECURITY disabled we run into
>>> a problem where the lockdown reason table is missing.  This patch
>>> attempts to fix this by hiding the table behind a lookup function.
>>
>> Shouldn't lsm_audit.c be conditional on both CONFIG_AUDIT and
>> CONFIG_SECURITY?  When/why would we want it built without
>> CONFIG_SECURITY enabled?
> 
> My first thought of a fix was just that, but I remembered that the
> capabilities code is built regardless of the CONFIG_SECURITY setting
> and I thought there might be some value in allowing for lsm_audit to
> be used in commoncap (although in full disclosure commoncap doesn't
> currently make use of lsm_audit).

Seems contrary to normal practice, i.e. if/when commoncap grows a 
dependency, it can be changed then.




More information about the Linux-security-module-archive mailing list