On 9/21/2018 6:19 AM, John Johansen wrote:

On 09/20/2018 08:02 PM, Kees Cook wrote:

quoted

On Thu, Sep 20, 2018 at 7:14 PM, John Johansen
[off-list ref] wrote:

quoted

On 09/20/2018 07:05 PM, Kees Cook wrote:

quoted

On Thu, Sep 20, 2018 at 6:39 PM, John Johansen
[off-list ref] wrote:

Yes, I like CONFIG_LSM_ENABLE if "empty" means "enable all". Should
CONFIG_LSM_ENABLE replace all the other CONFIG-based LSM
enabling/disabling?

I don't particularly like "empty" being "enable all". With that
how would I disable all builtin lsms so that I just boot with
capability.

An option of all or even * is more explicit and leaves the empty
set to mean disable everything

Okay, that works. I prefer "all" FWIW.

me too, I was just trying to throw out options.

I'll buy that. "all" is fine by me, although it means we
can't have an LSM named "all". :) We should also allow "none"
to mean no LSMs. I know lots of people who love using security=none.