[PATCH] LSM: Revive CONFIG_DEFAULT_SECURITY_* for "make oldconfig"
Tetsuo Handa
penguin-kernel at i-love.sakura.ne.jp
Fri Mar 29 23:51:05 UTC 2019
On 2019/03/30 4:36, Kees Cook wrote:
> Note that since TOMOYO can be fully stacked against the other legacy
> major LSMs, when it is selected, it explicitly disables the other LSMs
> to avoid them also initializing since TOMOYO does not expect this
> currently.
Excuse me, but isn't this exception confusing, for DEFAULT_SECURITY_TOMOYO
and DEFAULT_SECURITY_DAC are "opt-in" whereas DEFAULT_SECURITY_SELINUX and
DEFAULT_SECURITY_SMACK and DEFAULT_SECURITY_APPARMOR are "opt-out" ?
If SELinux/Smack/AppArmor people think this mixture is fine, I'm fine though...
> config LSM
> string "Ordered list of enabled LSMs"
> + default "yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK
> + default "yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR
> + default "yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO
> + default "yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC
> default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
> help
> A comma-separated list of LSMs, in initialization order.
>
More information about the Linux-security-module-archive
mailing list