On Thu, Oct 4, 2018 at 9:58 PM, James Morris [off-list ref] wrote:

On Thu, 4 Oct 2018, Kees Cook wrote:

quoted

On Thu, Oct 4, 2018 at 10:49 AM, James Morris [off-list ref] wrote:

quoted

On Wed, 3 Oct 2018, Kees Cook wrote:

quoted

Then someone boots the system with:

selinux=1 security=selinux

In what order does selinux get initialized relative to yama?
(apparmor, flagged as a "legacy major", would have been disabled by
the "security=" not matching it.)

It doesn't, it needs to be specified in one place.

Distros will need to update boot parameter handling for this kernel
onwards.  Otherwise, we will need to carry this confusing mess forward
forever.

Are you saying that you want to overrule Paul and Stephen about
keeping "selinux=1 secuiryt=selinux" working?

Not overrule, but convince.

At least, deprecate selinux=1 and security=X, but not extend it any
further.

Okay, this is the expectation from me as well. I think my series makes
it work as-is with the new stuff just fine.

quoted

quoted

In my most recent suggestion, there is no '!' disablement, just
enablement.  If an LSM is not listed in CONFIG_LSM="", it's not enabled.

And a user would need to specify ALL lsms on the "lsm=" line?

Yes, the ones they want enabled.

quoted

What do you think of my latest proposal? It could happily work all
three ways: old boot params and security= work ("selinux=1
security=selinux" keeps working), individual LSM enable/disable works
("lsm=+loadpin"), and full LSM ordering works
("lsm=each,lsm,in,order,here"):

https://lore.kernel.org/lkml/CAGXu5jJJit8bDNvgXaFkuvFPy7NWtJW2oRWFbG-6iWk0+A1qng@mail.gmail.com/ (local)

I think having something like +yama will still lead to confusion.
Explicitly stating each enabled LSM in order is totally unambiguous.

If people are moving away from the distro defaults, and there is no
high-level interface to manage this, it seems to me there's a deeper
issue with the distro.

Okay. I will adjust the series and send a v5.

-Kees

-- 
Kees Cook
Pixel Security