Re: [PATCH security-next v3 18/29] LSM: Introduce lsm.enable= and lsm.disable=
From: Kees Cook
Date: Mon Oct 01 2018 - 19:38:27 EST
On Mon, Oct 1, 2018 at 4:30 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> If we keep it, "apparmor=0 lsm_enable=apparmor" would mean it's
> enabled. Is that okay?
Actually, what the v3 series does right now is leaves AppArmor and
SELinux alone -- whatever they configured for enable/disable is left
alone.
The problem I have is when processing CONFIG_LSM_ENABLE ... what do I
do with the existing "enable" flag? It's set by both
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE and apparmor=0/1.
Right now I can't tell the difference between someone booting with
apparmor=0 or CONFIG_LSM_ENABLE not including apparmor.
i.e. how do I mix CONFIG_LSM_ENABLE with apparmor=0/1? (assuming
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE has been removed)
-Kees
--
Kees Cook
Pixel Security