Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1108927imm; Fri, 14 Sep 2018 11:18:57 -0700 (PDT) X-Google-Smtp-Source: ANB0Vdbd/BZH91ZZ8iAMnD0UK7ua4BfmdVaOYrD8eUQKe9iNHjFZppBBnfBWhiXSbX4dxW/IW8ci X-Received: by 2002:a17:902:7587:: with SMTP id j7-v6mr13525872pll.256.1536949137737; Fri, 14 Sep 2018 11:18:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536949137; cv=none; d=google.com; s=arc-20160816; b=1G0ZvJPr5k3Iqtj1G5NDxAsttXcGZ/IG940WrCNWoyImjCoZaFoDgwHaT0vefhAD3j SUgxoAJy3cquNau4lZ8Ze5wJd57joqMgljpn0VRRd2Y9BSZAlEXxew+1xP6ZKYGloCan VsvINm28wFRpijDdICltygeaPWH5IkatDD4x1r/B8hFs07BKPXfzu2leD/vTdn2MomMT 3ONQ1+9LIUNHObyGmcPp9KpcNcWOl50nM6NLINBuzrND0I3Z1POzVxLb6kD3syJmuKeR U/yvpUUgLju621mbNGV/0Vc//XuCn823/UhG7+ssi8x2DYziXM6WCfux6JVa98wuRd2w 601A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=rz4QkIFpW5UiZBZiQ6K6aCxn0r/3ld5wcTKjGkzPzUI=; b=YwuAiqP+vhuJYibz6r1c8nHPVoAfFyBqz4omjY3wgUCE0lm76jLdgxfLbYFutc9lSv Drarq7Id5oBgsZdNiDXxTjbry6SC+WIluB++dV4edsSqxOSuwpcZnq8KJ+olftujkX+C xa5+gPM/Iol92Sj9CrPP4lBnIv+M8wtQBtDyMqQAu2PSm0jV3/UtzQC5sR2w/zxE9b1G gHXE0/Iz8GzuHLLWtTmHzPxsgMaBbSgqvAWt4Loj/LSakNGKuadmjxH8udrNDojEhfl0 P6SjG3i9bwZppQxd8ynbOz4rOs5DU/r7xTBX9zf0BIAkyvOHg+XT9bNpAfhga5g7S5Rt ZT5w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 82-v6si7386906pfo.229.2018.09.14.11.18.42; Fri, 14 Sep 2018 11:18:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728118AbeINXeK (ORCPT + 99 others); Fri, 14 Sep 2018 19:34:10 -0400 Received: from namei.org ([65.99.196.166]:59118 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726849AbeINXeK (ORCPT ); Fri, 14 Sep 2018 19:34:10 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id w8EIIEMj020342; Fri, 14 Sep 2018 18:18:15 GMT Date: Sat, 15 Sep 2018 04:18:14 +1000 (AEST) From: James Morris To: Casey Schaufler cc: Kees Cook , Paul Moore , linux-security-module , LKML , SE Linux , John Johansen , Tetsuo Handa , Stephen Smalley , "linux-fsdevel@vger.kernel.org" , Alexey Dobriyan , "Schaufler, Casey" Subject: Re: [PATCH 10/10] LSM: Blob sharing support for S.A.R.A and LandLock In-Reply-To: <5b983bba-049c-795a-3354-a2e8ab33cecf@schaufler-ca.com> Message-ID: References: <99cb1ae7-8881-eb9a-a8cb-a787abe454e1@schaufler-ca.com> <5b983bba-049c-795a-3354-a2e8ab33cecf@schaufler-ca.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 13 Sep 2018, Casey Schaufler wrote: > On 9/13/2018 4:57 PM, Kees Cook wrote: > > On Thu, Sep 13, 2018 at 4:51 PM, Casey Schaufler wrote: > >> On 9/13/2018 4:06 PM, Kees Cook wrote: > >>> - what order should any stacking happen? Makefile? security=? > >> Makefile by default. > > Okay, if ordering is by Makefile and everyone dislikes my > > $lsm.enabled=0/1 thing, then these mean the same thing: > > > > security=selinux,tomoyo > > security=tomoyo,selinux > > > > i.e. order of security= is _ignored_ in favor of the Makefile ordering. > > No, I think that the two lines above should have a different > execution order. If we really need to specify multiple modules > at boot time that is what makes the most sense. Agreed. -- James Morris