[PATCH] LSM: Allow syzbot to ignore security= parameter.
Tetsuo Handa
penguin-kernel at i-love.sakura.ne.jp
Sat Feb 9 00:28:14 UTC 2019
On 2019/02/09 1:23, Casey Schaufler wrote:
> On 2/8/2019 2:52 AM, Tetsuo Handa wrote:
>> To help administrators easily understand what LSM modules are possibly enabled by default (which
>> have to be fetched from e.g. /boot/config-`uname -r`)
>
> $ cat /sys/kernel/security/lsm
>
/sys/kernel/security/lsm is list of "actually" enabled modules, isn't it?
What I want is "possibly" enabled modules. Ubuntu would chose from either
(a) explicitly add security=apparmor to kernel command line
or
(b) explicitly remove tomoyo from CONFIG_LSM at kernel config
in order not to enable TOMOYO for those who want to enable only one of
SELinux/Smack/AppArmor. And for those who want to enable TOMOYO, I think
that (b) (in other words, add
lsm="modules listed in CONFIG_LSM" + ",tomoyo"
) will retain compatibility when it becomes possible to enable more than
one of SELinux/Smack/AppArmor at the same time.
If we can know "possibly" enabled modules from dmesg, users don't need to
look at e.g. /boot/config-`uname -r`. It is not essential, but it's handy.
More information about the Linux-security-module-archive
mailing list