Re: mount.nfs: Protocol error after upgrade to linux/master
From: Kees Cook
Date: Fri Mar 22 2019 - 18:45:23 EST
On Thu, Mar 21, 2019 at 2:10 PM Tetsuo Handa
> On 2019/03/22 1:38, Kees Cook wrote:
> > This is mostly good. I'd like to keep the other LSMs listed though
> > (similar to what I had originally) so that if a legacy-major doesn't
> > initialize, later ones will be. I want to remove the concept of
> > "major" LSMs. The only thing that should matter is init order...
> Excuse me? Are you saying that
> if a legacy-major (which is defined as the "Default security module")
> doesn't initialize, later ones (any of selinux,smack,tomoyo,apparmor
> except the one which is defined as "Default security module") will be
> ? That sounds strange to me. Any of selinux,smack,tomoyo,apparmor can be
> initialized when specified by lsm= kernel command line option (or security=
> kernel command line option if lsm= kernel command line option is not
> specified), won't it?
It breaks the backward-compat for the "security=" line. If a system is
booted with CONFIG_LSM="minors...,apparmor" and "security=selinux",
neither apparmor nor selinux will be initialized. The logic on
"security=..." depends on the other LSMs being present in the list.