Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1923649imm; Tue, 2 Oct 2018 16:54:57 -0700 (PDT) X-Google-Smtp-Source: ACcGV613O1fFydYzFr1qwkVviEVjO7cXYxpRuBC+bQrtiIs0f7VY6ge4rF8haF2sZwg7b5uyuJdL X-Received: by 2002:a17:902:830a:: with SMTP id bd10-v6mr19016847plb.214.1538524497132; Tue, 02 Oct 2018 16:54:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538524497; cv=none; d=google.com; s=arc-20160816; b=cH+xra+RYTK987piQWnEUGszOhRQW4XXoorT3d5QSm8dz/AsnoPu0oXh7NZrLkocDl LbJywquZo/YlN6FZmYQtV9I/3uugl14IhV9wFF8sVw0eKMp+aIfqmYX3pMSAfJNc+w2k QvcGxSpRIGVT3IbTTPzIEm/dqoQCZiVFMTTgOXaB6THFCXCEOB9fTFsxFlIvidlDbylD tbv0HP9lnTGHw1+vwQdcXf6hWBbxvEXQ83i6/zkx02O55mYe1w/BCwoLpwGPfAb9HmuH jJvwWuUbTADA119mnm3kXzP1gbLsSdpM4FWhDijbrDY2WxF0a5vEq4bpkecAm2jFZQ2w Pz/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=myLBZqcYlMnhLpy5A45FsjW/5Vk4tQR3DKJeP2Ytazg=; b=tnSo+LJsIk2x9i+gkAorNN7L3r2sWube+W2ACTshBse3N6w2StQHJhuKl9/4F5tLMm buYZZGJr3UmNf41//Qknv55DAiMNrSY8BKBW3E+krYfxYAcJ8aInuBMlHyUBF6EsTqx+ xnplX9Lf1mkXYA7X6kTn9fNp2jy5h/gdwzkEZBj9JBNsWeHkGhoPJyNGqetcUp7Jq+oc KFkJwB73vCrw0seEGRfvgsOQuxFiLapBmuiOU97Ke6/ss2l64GT7U2V+l+XFj2sD5gOf 1gKTr4fsbwvqnuhAOnxfHFiI7Om6CtVaVFrl+PVkxSHORtrpKEopFTF74iExq765Z9Pc NXfA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=iND8GjVx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x33-v6si16761388pga.246.2018.10.02.16.54.41; Tue, 02 Oct 2018 16:54:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=iND8GjVx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726362AbeJCGk3 (ORCPT + 99 others); Wed, 3 Oct 2018 02:40:29 -0400 Received: from mail-yb1-f194.google.com ([209.85.219.194]:34198 "EHLO mail-yb1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725753AbeJCGk3 (ORCPT ); Wed, 3 Oct 2018 02:40:29 -0400 Received: by mail-yb1-f194.google.com with SMTP id 184-v6so1621991ybg.1 for ; Tue, 02 Oct 2018 16:54:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=myLBZqcYlMnhLpy5A45FsjW/5Vk4tQR3DKJeP2Ytazg=; b=iND8GjVxJSaRwJPJub3okGE9GMOlOJDHIE5jQlBxb9z0/mqLvFOfwzKAdx3kkSKjWm +W9s6PBHi8PFuFYi46vWKwR9DGxNk0owYGEaB/Wu/zk+CBIHh/LjHuuQlfrqyw/y2QIT 4firk4oYw5/9V3RhMJvssisn6RHoHC5eJq0Yg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=myLBZqcYlMnhLpy5A45FsjW/5Vk4tQR3DKJeP2Ytazg=; b=LjeqzD1ipMeDpLQiICbJpZ5TnuXn8YHtNLy9LkhnF04kKdaWZNME+Qh4ElRiULYPYd x0LJQEfULtVZlgnV83P9VAE+TFMffiy/vd1jZAfgagx3IsgKaeSTTT1/J4oAdlfIhHni A+EBV4Td1g/B2nEm+SWmD2GCexDAzxfL91pIfrbv5xDeMT05HOmtqMb3zB60n//GLgLu u+2DDmkzouutad8ooaK0YjPnRWfeqzA/l1cUKgjKFKRjDWfEKPr3Fl2gk+vTETck2C+p ycOsgdgTQNT8tySvlKLqWDf05wxU9Q6GWgvAa73wNMYHNPLW/AGJUV/jpZY3h6hedlA4 l52g== X-Gm-Message-State: ABuFfoiFAK7wp8Xz+0NYNFsZspuwvujgnH3RQrfxukrtgRotK3zj7Uvi 9NFo4z85SlfshDA1b0A8K0S3xD99wYw= X-Received: by 2002:a25:c905:: with SMTP id z5-v6mr9908569ybf.265.1538524475628; Tue, 02 Oct 2018 16:54:35 -0700 (PDT) Received: from mail-yw1-f45.google.com (mail-yw1-f45.google.com. [209.85.161.45]) by smtp.gmail.com with ESMTPSA id w207-v6sm3296274yww.95.2018.10.02.16.54.33 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Oct 2018 16:54:34 -0700 (PDT) Received: by mail-yw1-f45.google.com with SMTP id m129-v6so1566729ywc.1 for ; Tue, 02 Oct 2018 16:54:33 -0700 (PDT) X-Received: by 2002:a81:2cc3:: with SMTP id s186-v6mr1813541yws.168.1538524473138; Tue, 02 Oct 2018 16:54:33 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:d116:0:0:0:0:0 with HTTP; Tue, 2 Oct 2018 16:54:32 -0700 (PDT) In-Reply-To: <5955f5ce-b803-4f58-8b07-54c291e33da5@canonical.com> References: <20181002005505.6112-1-keescook@chromium.org> <20181002005505.6112-24-keescook@chromium.org> <785ef6a9-ae46-3533-0348-74bcf6f10928@tycho.nsa.gov> <809f1cfd-077b-ee58-51ba-b22daf46d12b@tycho.nsa.gov> <5955f5ce-b803-4f58-8b07-54c291e33da5@canonical.com> From: Kees Cook Date: Tue, 2 Oct 2018 16:54:32 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter To: John Johansen Cc: James Morris , Jordan Glover , Stephen Smalley , Paul Moore , Casey Schaufler , Tetsuo Handa , "Schaufler, Casey" , linux-security-module , Jonathan Corbet , "open list:DOCUMENTATION" , linux-arch , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 2, 2018 at 4:46 PM, John Johansen wrote: > On 10/02/2018 04:06 PM, Kees Cook wrote: >> I think the current proposal (in the other thread) is likely the >> sanest approach: >> >> - Drop CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE >> - Drop CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE >> - All enabled LSMs are listed at build-time in CONFIG_LSM_ENABLE > > Hrrmmm isn't this a Kconfig selectable list, with each built-in LSM > available to be enabled by default at boot. That's not how I have it currently. It's a comma-separated a string, including the reserved name "all". The default would just be "CONFIG_LSM_ENABLE=all". Casey and I wanted this to have a way to capture new LSMs by default at build-time. >> - Boot time enabling for selinux= and apparmor= remain >> - lsm.enable= is explicit: overrides above and omissions are disabled > wfm Okay, this is closer to v3 than v4. Paul or Stephen, how do you feel about losing the SELinux bootparam CONFIG? (i.e. CONFIG_LSM_ENABLE would be replacing its functionality.) -Kees -- Kees Cook Pixel Security