Re: [PATCH] LSM: Revive CONFIG_DEFAULT_SECURITY_* for "make oldconfig"

From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Date: 2019-03-29 23:51:37
Also in: lkml

On 2019/03/30 4:36, Kees Cook wrote:

Note that since TOMOYO can be fully stacked against the other legacy
major LSMs, when it is selected, it explicitly disables the other LSMs
to avoid them also initializing since TOMOYO does not expect this
currently.

Excuse me, but isn't this exception confusing, for DEFAULT_SECURITY_TOMOYO
and DEFAULT_SECURITY_DAC are "opt-in" whereas DEFAULT_SECURITY_SELINUX and
DEFAULT_SECURITY_SMACK and DEFAULT_SECURITY_APPARMOR are "opt-out" ?

If SELinux/Smack/AppArmor people think this mixture is fine, I'm fine though...

 config LSM
 	string "Ordered list of enabled LSMs"
+	default "yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK
+	default "yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR
+	default "yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO
+	default "yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC
 	default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
 	help
 	  A comma-separated list of LSMs, in initialization order.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help