mount.nfs: Protocol error after upgrade to linux/master
Kees Cook
keescook at chromium.org
Fri Mar 22 22:45:04 UTC 2019
On Thu, Mar 21, 2019 at 2:10 PM Tetsuo Handa
<penguin-kernel at i-love.sakura.ne.jp> wrote:
>
> On 2019/03/22 1:38, Kees Cook wrote:
> > This is mostly good. I'd like to keep the other LSMs listed though
> > (similar to what I had originally) so that if a legacy-major doesn't
> > initialize, later ones will be. I want to remove the concept of
> > "major" LSMs. The only thing that should matter is init order...
>
> Excuse me? Are you saying that
>
> if a legacy-major (which is defined as the "Default security module")
> doesn't initialize, later ones (any of selinux,smack,tomoyo,apparmor
> except the one which is defined as "Default security module") will be
> initialized
>
> ? That sounds strange to me. Any of selinux,smack,tomoyo,apparmor can be
> initialized when specified by lsm= kernel command line option (or security=
> kernel command line option if lsm= kernel command line option is not
> specified), won't it?
It breaks the backward-compat for the "security=" line. If a system is
booted with CONFIG_LSM="minors...,apparmor" and "security=selinux",
neither apparmor nor selinux will be initialized. The logic on
"security=..." depends on the other LSMs being present in the list.
-Kees
--
Kees Cook
More information about the Linux-security-module-archive
mailing list