[PATCH security-next v2 19/26] LSM: Introduce CONFIG_LSM_ORDER

[PATCH security-next v2 00/26] LSM: Explict LSM ordering · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 04/26] LSM: Remove initcall tracing · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 02/26] vmlinux.lds.h: Avoid copy/paste of security_init section · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 07/26] LSM: Convert security_initcall() into DEFINE_LSM() · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 10/26] LSM: Don't ignore initialization failures · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 11/26] LSM: Introduce LSM_FLAG_LEGACY_MAJOR · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 12/26] LSM: Provide separate ordered initialization · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 13/26] LSM: Plumb visibility into optional "enabled" state · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 19/26] LSM: Introduce CONFIG_LSM_ORDER · Kees Cook <hidden> · 2018-09-20
Re: [PATCH security-next v2 19/26] LSM: Introduce CONFIG_LSM_ORDER · Casey Schaufler <casey@schaufler-ca.com> · 2018-09-21
Re: [PATCH security-next v2 19/26] LSM: Introduce CONFIG_LSM_ORDER · Casey Schaufler <casey@schaufler-ca.com> · 2018-09-21
[PATCH security-next v2 20/26] LSM: Introduce "lsm.order=" for boottime ordering · Kees Cook <hidden> · 2018-09-20
Re: [PATCH security-next v2 20/26] LSM: Introduce "lsm.order=" for boottime ordering · Casey Schaufler <casey@schaufler-ca.com> · 2018-09-21
Re: [PATCH security-next v2 20/26] LSM: Introduce "lsm.order=" for boottime ordering · Kees Cook <hidden> · 2018-09-21
[PATCH security-next v2 14/26] LSM: Lift LSM selection out of individual LSMs · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 15/26] LSM: Introduce lsm.enable= and lsm.disable= · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 09/26] LSM: Provide init debugging infrastructure · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 08/26] LSM: Record LSM name in struct lsm_info · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 06/26] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 05/26] LSM: Convert from initcall to struct lsm_info · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 03/26] LSM: Rename .security_initcall section to .lsm_info · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 01/26] LSM: Correctly announce start of LSM initialization · Kees Cook <hidden> · 2018-09-20
Re: [PATCH security-next v2 01/26] LSM: Correctly announce start of LSM initialization · Casey Schaufler <casey@schaufler-ca.com> · 2018-09-20
[PATCH security-next v2 24/26] capability: Mark as LSM_ORDER_FIRST · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 21/26] LoadPin: Initialize as ordered LSM · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 18/26] LSM: Build ordered list of ordered LSMs for init · Kees Cook <hidden> · 2018-09-20
Re: [PATCH security-next v2 18/26] LSM: Build ordered list of ordered LSMs for init · Casey Schaufler <casey@schaufler-ca.com> · 2018-09-21
Re: [PATCH security-next v2 18/26] LSM: Build ordered list of ordered LSMs for init · Kees Cook <hidden> · 2018-09-21
[PATCH security-next v2 17/26] LSM: Refactor "security=" in terms of enable/disable · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 16/26] LSM: Prepare for reorganizing "security=" logic · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 25/26] LSM: Separate idea of "major" LSM from "exclusive" LSM · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 26/26] LSM: Add all exclusive LSMs to ordered initialization · Kees Cook <hidden> · 2018-09-20
Re: [PATCH security-next v2 26/26] LSM: Add all exclusive LSMs to ordered initialization · Casey Schaufler <casey@schaufler-ca.com> · 2018-09-21
Re: [PATCH security-next v2 26/26] LSM: Add all exclusive LSMs to ordered initialization · Kees Cook <hidden> · 2018-09-21
Re: [PATCH security-next v2 26/26] LSM: Add all exclusive LSMs to ordered initialization · Casey Schaufler <casey@schaufler-ca.com> · 2018-09-21
Re: [PATCH security-next v2 26/26] LSM: Add all exclusive LSMs to ordered initialization · John Johansen <john.johansen@canonical.com> · 2018-09-21
Re: [PATCH security-next v2 26/26] LSM: Add all exclusive LSMs to ordered initialization · Kees Cook <hidden> · 2018-09-21
Re: [PATCH security-next v2 26/26] LSM: Add all exclusive LSMs to ordered initialization · John Johansen <john.johansen@canonical.com> · 2018-09-21
Re: [PATCH security-next v2 26/26] LSM: Add all exclusive LSMs to ordered initialization · Kees Cook <hidden> · 2018-09-21
Re: [PATCH security-next v2 26/26] LSM: Add all exclusive LSMs to ordered initialization · John Johansen <john.johansen@canonical.com> · 2018-09-21
Re: [PATCH security-next v2 26/26] LSM: Add all exclusive LSMs to ordered initialization · Casey Schaufler <casey@schaufler-ca.com> · 2018-09-21
[PATCH security-next v2 23/26] LSM: Introduce enum lsm_order · Kees Cook <hidden> · 2018-09-20
[PATCH security-next v2 22/26] Yama: Initialize as ordered LSM · Kees Cook <hidden> · 2018-09-20
Re: [PATCH security-next v2 00/26] LSM: Explict LSM ordering · Martin Steigerwald <hidden> · 2018-09-20
Re: [PATCH security-next v2 00/26] LSM: Explict LSM ordering · Kees Cook <hidden> · 2018-09-20

From: casey@schaufler-ca.com (Casey Schaufler)
Date: 2018-09-21 00:14:45
Also in: linux-arch, linux-doc, lkml

On 9/20/2018 5:10 PM, Casey Schaufler wrote:

On 9/20/2018 9:23 AM, Kees Cook wrote:

quoted

This provides a way to declare LSM initialization order via Kconfig.

Signed-off-by: Kees Cook <redacted>
---
 security/Kconfig    | 11 +++++++++++
 security/security.c | 38 +++++++++++++++++++++++++++++++++++---
 2 files changed, 46 insertions(+), 3 deletions(-)

diff --git a/security/Kconfig b/security/Kconfig
index 27d8b2688f75..de8202886c1d 100644
--- a/security/Kconfig
+++ b/security/Kconfig

@@ -276,5 +276,16 @@ config DEFAULT_SECURITY
 	default "apparmor" if DEFAULT_SECURITY_APPARMOR
 	default "" if DEFAULT_SECURITY_DAC
 
+config LSM_ORDER
+	string "Default initialization order of builtin LSMs"
+	default "integrity"

I would like to see the default spelled out rather than
provided implicitly.

  +	  default "integrity,yama,loadpin,selinux,smack,apparmor,tomoyo"

I see now that comes later in the patch set. Never mind.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help