Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp16698imm; Thu, 20 Sep 2018 17:15:15 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYGG22ypHGOEzX3h159ROpL2l2buPlPySFeGz5kYdV469sUQpkR/RKZf1aIV84ihERsFs9B X-Received: by 2002:a17:902:bd07:: with SMTP id p7-v6mr40845510pls.32.1537488915197; Thu, 20 Sep 2018 17:15:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537488915; cv=none; d=google.com; s=arc-20160816; b=gkeUjUMAA16lvC8UsnjRZZ7K4DUEJu4YiypY28hkWkRi57qhb3UEp6JXi6FTLLilH6 k9MczZ6c6u4kJzzK00uaPxyALRK2iUogrXEa4QXAJdJrPEER/itEAzqG0l6ZbC1AYR4v tBna6YDgvMRlVTFS02TidDjPEidsLDgPg0TgbnHt+NLPyLRgrT1XiBKChAeHayTu1DaA SXKKqvgmDnxGycKgPgJf02D3MR1avNaFF6AvIhxdUMS/nHkqA9sqNr2hCU5KvaUL5KIs lPdcUZT1azm3gtdPhDnpn2asXjQeulydTwr+CHZ6jRmvCr65aZK9juhr4KgnXQZFPeBE PgIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:references:cc:to:from:subject:dkim-signature; bh=E/yt1JDo26weKI4VHA+N6C7Ayiti7zZBAg6RAyZfOZk=; b=dXpcS1aH1eFVuU0JJxF45GJISbCqB1p7JwzwSOObQ6Be9Qah7QeBH/YMeS+Zd8aQpq 2S4GOCzwnU5+W9A6AaQOaue0h4UaFVVe0TRRNaisDXEqPBxb9EaC/UHtAqhqRovk9+z5 R2bPf8q0/T1GhIiTdqaL+r0XiEnzgBHQcaeKzqJbrbjL8Y7DLur29bRTof6XWKMNerzs /6h3KJeaLNu0fdr0tiDbq/zKThePbSqux89Qw97Y/KIhLghFyBypGdTwIE0vzE+d9smK Vq2SAKyBjBkMnHPpzdlc2i6jCMxNC0KeFS7rPDEJDJoHt+rSQ4p/0GfAUOscI/dA6Hty 2+EA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=sV3mkYXy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m2-v6si26981883pfi.351.2018.09.20.17.14.58; Thu, 20 Sep 2018 17:15:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=sV3mkYXy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727643AbeIUGAs (ORCPT + 99 others); Fri, 21 Sep 2018 02:00:48 -0400 Received: from sonic304-18.consmr.mail.bf2.yahoo.com ([74.6.128.41]:45053 "EHLO sonic304-18.consmr.mail.bf2.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725869AbeIUGAs (ORCPT ); Fri, 21 Sep 2018 02:00:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1537488881; bh=E/yt1JDo26weKI4VHA+N6C7Ayiti7zZBAg6RAyZfOZk=; h=Subject:From:To:Cc:References:Date:In-Reply-To:From:Subject; b=sV3mkYXyR5CXzlPnDWKRg3QZG7zPsiP7Di7xnRuGA5ua9PUYXEITSJaNsQJoTrQwce8Z3To6e8PxbXcH75LEdpTBw1ZCxIlqlNJbXVEz4bELaKlWOrQvuQDBsc37eII1bY4OpdcQUV0I0XrHBHwusbG7TEdGkUNkpUODxASq0NiXiBbQqW4x3t8RTk2jcxlOu4Fj95U0oN/S+8HbMAmOws0JN4tMSECg79cK9K7crZVJoAwT2obG6OFW9uefYRON+Eow0cDNz15rCZ7271tZtM16H/jcP14YGAFQKvHACxmOI0YfBL2l9w7CV9j4Dow8qMwG9ytN4h6pDKo3grN2cw== X-YMail-OSG: 4a02VjMVM1lHUpysTm_Ru3VyzT4x4Lk_yXKPBE.1V4wh1gJ6.ankMjd3Oo41aj3 OW2QF7mpx0qbFZjglOjHzl6Gt6bDr06qeQBb9O8Tc37a4KafnEUZkHQQYHB_wje6f5CUrUoY5Hvb qHZgFcStOVKeuKt0Q69HIolVaxpNIQv3iBRHe5v9QPfQf1dDaadGlG9cWBh8HIpnNth6r_0G92.v oC5B44YQlsrYb8pBV9oBjQWkl8iaBGEQBNc8tHMlb8qSQK3sH6_IlSCqMQdOpsVptxylLn0PihBe Qq1feX21tDvKNMWLcrDNmwUJ2tO.Iws0Tz2z6Rh_jbAgqqaMrOJZYU35.8ydi6n.V6l2Wevmgra2 A0hwbA9UNEI31V5CB3ZaUEuJSI1oi.G6CAoxM.smfy08rk_2tPHQdnG6225yvObPZ1_8WcVjWTTI bn5Hq.g9kYE_LfuMtR6OLYRykfZSFJAzCHaUKDK6_8cDIWllNihoQzBxslxZ3.gso1TCkUqsMVLs udlDsqbN4C0LJjnQwvVqIAhArFTK9j_cFmNsBwKZDoZejTrf2n239.xx08QRgJFjrkTeQZ4e21AT 1F6v0ys9XkcnwBV2szoE7PZLfkqgTZEdgfWIsYmuDt9YNyRo2_Rwk0vuX98cbpsMqBIinREQDD3p PvXByuQWQczYExt8cBBi_52ejeEjN_cRx.dYWPjXxIsqntO9MsPd9CKMEHG8gjFinpwdC5ngKP8B RP7TpJJdPZLpuNqPfmVzEsc9M4HBL81t2Cw6pxkCrV2D0YL2x4BoYCmWmJttf4Uxvu.q28gQC7g2 hPAThkrxGmvU9lOtRvbc7vAt1MY2LpbjZf_2sqU3kJLDSNNE0RP8b9efd9Ya86L3guBg5S7meE75 jAigUJ7eNmAJLYV6a7xbdFAz2U8pxFbHxudns4a2Huq3g04ntMYbluAmG8.viygDKZTmwTpT1HxD kLYeHrII0ZVz2Qput8DmMFA1ngPMpM99SL3m2Z5InKwFlRC0EGCcj7Ew2UsMCPZuFkd1q4xBnl4h gIkaSwC9JzRjzDYGl_kB3lMkY6WaeN5DgRqPPgA-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.bf2.yahoo.com with HTTP; Fri, 21 Sep 2018 00:14:41 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.102]) ([67.169.65.224]) by smtp405.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID c452f7b141a744a99a2ecd2c73b7e72c; Fri, 21 Sep 2018 00:14:39 +0000 (UTC) Subject: Re: [PATCH security-next v2 19/26] LSM: Introduce CONFIG_LSM_ORDER From: Casey Schaufler To: Kees Cook , James Morris Cc: John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley , "Schaufler, Casey" , LSM , Jonathan Corbet , linux-doc@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org References: <20180920162338.21060-1-keescook@chromium.org> <20180920162338.21060-20-keescook@chromium.org> <25825681-a465-684d-d48e-79473bca7606@schaufler-ca.com> Message-ID: <17226f0a-e320-dab0-8691-aa0a22f07544@schaufler-ca.com> Date: Thu, 20 Sep 2018 17:14:35 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <25825681-a465-684d-d48e-79473bca7606@schaufler-ca.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 9/20/2018 5:10 PM, Casey Schaufler wrote: > On 9/20/2018 9:23 AM, Kees Cook wrote: >> This provides a way to declare LSM initialization order via Kconfig. >> >> Signed-off-by: Kees Cook >> --- >> security/Kconfig | 11 +++++++++++ >> security/security.c | 38 +++++++++++++++++++++++++++++++++++--- >> 2 files changed, 46 insertions(+), 3 deletions(-) >> >> diff --git a/security/Kconfig b/security/Kconfig >> index 27d8b2688f75..de8202886c1d 100644 >> --- a/security/Kconfig >> +++ b/security/Kconfig >> @@ -276,5 +276,16 @@ config DEFAULT_SECURITY >> default "apparmor" if DEFAULT_SECURITY_APPARMOR >> default "" if DEFAULT_SECURITY_DAC >> >> +config LSM_ORDER >> + string "Default initialization order of builtin LSMs" >> + default "integrity" > I would like to see the default spelled out rather than > provided implicitly. > > + default "integrity,yama,loadpin,selinux,smack,apparmor,tomoyo" I see now that comes later in the patch set. Never mind.