Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter

[PATCH security-next v4 00/32] LSM: Explict LSM ordering · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 01/32] LSM: Correctly announce start of LSM initialization · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 04/32] LSM: Remove initcall tracing · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 04/32] LSM: Remove initcall tracing · James Morris <jmorris@namei.org> · 2018-10-02
[PATCH security-next v4 03/32] LSM: Rename .security_initcall section to .lsm_info · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 02/32] vmlinux.lds.h: Avoid copy/paste of security_init section · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 05/32] LSM: Convert from initcall to struct lsm_info · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 08/32] LSM: Record LSM name in struct lsm_info · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 06/32] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 06/32] vmlinux.lds.h: Move LSM_TABLE into INIT_DATA · James Morris <jmorris@namei.org> · 2018-10-02
[PATCH security-next v4 09/32] LSM: Provide init debugging infrastructure · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 09/32] LSM: Provide init debugging infrastructure · James Morris <jmorris@namei.org> · 2018-10-02
[PATCH security-next v4 14/32] LSM: Plumb visibility into optional "enabled" state · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 32/32] LSM: Add all exclusive LSMs to ordered initialization · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 26/32] LSM: Introduce "lsm.order=" for boottime ordering · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 30/32] capability: Initialize as LSM_ORDER_FIRST · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 31/32] LSM: Separate idea of "major" LSM from "exclusive" LSM · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 13/32] LoadPin: Rename "enable" to "enforce" · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 13/32] LoadPin: Rename "enable" to "enforce" · Randy Dunlap <hidden> · 2018-10-02
Re: [PATCH security-next v4 13/32] LoadPin: Rename "enable" to "enforce" · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 11/32] LSM: Introduce LSM_FLAG_LEGACY_MAJOR · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 07/32] LSM: Convert security_initcall() into DEFINE_LSM() · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 07/32] LSM: Convert security_initcall() into DEFINE_LSM() · James Morris <jmorris@namei.org> · 2018-10-02
[PATCH security-next v4 15/32] LSM: Lift LSM selection out of individual LSMs · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 12/32] LSM: Provide separate ordered initialization · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 10/32] LSM: Don't ignore initialization failures · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 10/32] LSM: Don't ignore initialization failures · James Morris <jmorris@namei.org> · 2018-10-02
Re: [PATCH security-next v4 10/32] LSM: Don't ignore initialization failures · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 18/32] LSM: Introduce lsm.enable= and lsm.disable= · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 19/32] LSM: Prepare for reorganizing "security=" logic · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 22/32] apparmor: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 29/32] LSM: Introduce enum lsm_order · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 28/32] Yama: Initialize as ordered LSM · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 25/32] LSM: Introduce CONFIG_LSM_ORDER · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 21/32] LSM: Finalize centralized LSM enabling logic · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 21/32] LSM: Finalize centralized LSM enabling logic · Randy Dunlap <hidden> · 2018-10-02
Re: [PATCH security-next v4 21/32] LSM: Finalize centralized LSM enabling logic · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 20/32] LSM: Refactor "security=" in terms of enable/disable · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 24/32] LSM: Build ordered list of ordered LSMs for init · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Paul Moore <paul@paul-moore.com> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Stephen Smalley <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Stephen Smalley <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Jordan Glover <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Stephen Smalley <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · James Morris <jmorris@namei.org> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Stephen Smalley <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Stephen Smalley <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Paul Moore <paul@paul-moore.com> · 2018-10-08
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · James Morris <jmorris@namei.org> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · James Morris <jmorris@namei.org> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · James Morris <jmorris@namei.org> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Jordan Glover <hidden> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · James Morris <jmorris@namei.org> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Randy Dunlap <hidden> · 2018-10-03
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · James Morris <jmorris@namei.org> · 2018-10-04
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-05
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · James Morris <jmorris@namei.org> · 2018-10-05
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · James Morris <jmorris@namei.org> · 2018-10-05
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-05
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · John Johansen <john.johansen@canonical.com> · 2018-10-02
Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 27/32] LoadPin: Initialize as ordered LSM · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 17/32] LSM: Introduce CONFIG_LSM_ENABLE · Kees Cook <hidden> · 2018-10-02
[PATCH security-next v4 16/32] LSM: Prepare for arbitrary LSM enabling · Kees Cook <hidden> · 2018-10-02

From: James Morris <jmorris@namei.org>
Date: 2018-10-03 18:28:21
Also in: linux-arch, linux-doc, lkml

On Wed, 3 Oct 2018, Kees Cook wrote:

On Wed, Oct 3, 2018 at 11:17 AM, James Morris [off-list ref] wrote:

quoted

On Tue, 2 Oct 2018, John Johansen wrote:

quoted

To me a list like
  lsm.enable=X,Y,Z

What about even simpler:

lsm=selinux,!apparmor,yama

We're going to have lsm.order=, so I'd like to keep it with a dot
separator (this makes it more like module parameters, too). You want
to mix enable/disable in the same string? That implies you'd want
implicit enabling (i.e. it complements the builtin enabling), which is
opposite from what John wanted.

Why can't this be the order as well?

-- 
James Morris
[off-list ref]

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help