Re: [PATCH security-next v4 21/32] LSM: Finalize centralized LSM enabling logic
From: Kees Cook
Date: Tue Oct 02 2018 - 00:49:46 EST
On Mon, Oct 1, 2018 at 6:18 PM, Randy Dunlap <rdunlap@xxxxxxxxxxxxx> wrote:
> On 10/1/18 5:54 PM, Kees Cook wrote:
>> Prior to this patch, default "enable" behavior was unchanged: SELinux
>> and AppArmor were controlled separately from the centralized control
>> defined by CONFIG_LSM_ENABLE and "lsm.enable=...". This changes the
>> logic to give all control over to the central logic.
>>
>> Instead of allowing SELinux and AppArmor to override the central LSM
>> enabling logic, by having separate CONFIG and boot parameters, this
>> forces all "enable" variables to disabled, then enables any listed in
>> the CONFIG_LSM_ENABLE and "lsm.enable=..." settings, and finally disables
>> any listed in "lsm.disable=...".
>>
>> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
>> ---
>> .../admin-guide/kernel-parameters.txt | 6 ++--
>> include/linux/lsm_hooks.h | 2 +-
>> security/security.c | 32 +++++++------------
>> 3 files changed, 15 insertions(+), 25 deletions(-)
>>
>> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
>> index 67c90985d2b8..f646cfab5613 100644
>> --- a/Documentation/admin-guide/kernel-parameters.txt
>> +++ b/Documentation/admin-guide/kernel-parameters.txt
>> @@ -2279,14 +2279,12 @@
>> lsm.disable=lsm1,...,lsmN
>> [SECURITY] Comma-separated list of LSMs to disable
>> at boot time. This overrides "lsm.enable=",
>
> better: This overrides "lsm.enable=" and
Eek, yes! Thank you. :)
-Kees
>
>> - CONFIG_LSM_ENABLE, and any per-LSM CONFIGs and boot
>> - parameters.
>> + CONFIG_LSM_ENABLE.
>>
>> lsm.enable=lsm1,...,lsmN
>> [SECURITY] Comma-separated list of LSMs to enable
>> at boot time. This overrides any omissions from
>> - CONFIG_LSM_ENABLE, and any per-LSM CONFIGs and
>> - boot parameters.
>> + CONFIG_LSM_ENABLE.
>>
>> machvec= [IA-64] Force the use of a particular machine-vector
>> (machvec) in a generic kernel.
>
>
> --
> ~Randy
--
Kees Cook
Pixel Security