Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp27913imm; Wed, 3 Oct 2018 11:18:37 -0700 (PDT) X-Google-Smtp-Source: ACcGV62ygZnCjMmnoUHCHzcsH4eovNU35a1iVyj7jOGZB2RZKYdvwrnrD/VgFB/VwlKgX8tfGmm3 X-Received: by 2002:a62:5a83:: with SMTP id o125-v6mr2894994pfb.117.1538590717689; Wed, 03 Oct 2018 11:18:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538590717; cv=none; d=google.com; s=arc-20160816; b=AmWuqGJVT2NWstNVx2zAosRC95k/wHVQWLY+GpUhw4l22CHnBTOs50W7k9r1SmTwrF 6nuO1wfpL+tSJVZNcgYFnSB/ii+oyeFhUTTnw5f/SnCzJJLmF24HMP8TZH/r2Q7TiEHG m47SLP8bwhprsGLw1B1LIHhDUNAeK/dBN1KqUuwU8G/wmA1HStJj45xJotHsjyIRsDlu +8BDqCHxevTzmZcI2OfvVgaNI35OLNOsMw5ey0Z/1oLKvk87Dbl+0GKet34AYQlvx6Wq WjD2Wkmu7dHfRvWMEmbdokwWlhfc+x3fH+mogXI/faic9enojYmeLMc8kljLxasyjCAd 5vDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=SC8O36IdpPEuIyOiHKMj0R8Fd+gwJCzbdwZsnChzPe0=; b=gZq9rm6xc3cHyqlx6Uj0ndx2pYHPWDgBqLX3ulq81T6otFpBO6quegFUg4hOQ838nw HeJqJfy+d/GnIy4ZtLOOdyKUZ3enPN2gwU631IHcXYM9ltxDn4m29fH/Jc4dIoO3Op5w aY+tvU+GpdnjLxbNxs4N/YQJ13KlOeUsPhvDJASH9RrhgTyISsr3/yuhx1WTj6z4zp3F 2WBytUD3WH1H3lchNUERK/oadWFXuI1KM7ANJhlRiWvZunyAWDV2E3J2tc23Z3RjgZdN BCJeHjOdyFqKC285RUaevf/crWWue51wj9OTVbPUGFT9reLPTrr8vi+CDx1eEgA1WgUC SYHg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s25-v6si2218400pgd.539.2018.10.03.11.18.21; Wed, 03 Oct 2018 11:18:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727420AbeJDBHU (ORCPT + 99 others); Wed, 3 Oct 2018 21:07:20 -0400 Received: from namei.org ([65.99.196.166]:35422 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726851AbeJDBHU (ORCPT ); Wed, 3 Oct 2018 21:07:20 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id w93IHJ2b015270; Wed, 3 Oct 2018 18:17:19 GMT Date: Thu, 4 Oct 2018 04:17:19 +1000 (AEST) From: James Morris To: John Johansen cc: Kees Cook , Jordan Glover , Stephen Smalley , Paul Moore , Casey Schaufler , Tetsuo Handa , "Schaufler, Casey" , linux-security-module , Jonathan Corbet , "open list:DOCUMENTATION" , linux-arch , LKML Subject: Re: [PATCH security-next v4 23/32] selinux: Remove boot parameter In-Reply-To: <5955f5ce-b803-4f58-8b07-54c291e33da5@canonical.com> Message-ID: References: <20181002005505.6112-1-keescook@chromium.org> <20181002005505.6112-24-keescook@chromium.org> <785ef6a9-ae46-3533-0348-74bcf6f10928@tycho.nsa.gov> <809f1cfd-077b-ee58-51ba-b22daf46d12b@tycho.nsa.gov> <5955f5ce-b803-4f58-8b07-54c291e33da5@canonical.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2 Oct 2018, John Johansen wrote: > To me a list like > lsm.enable=X,Y,Z What about even simpler: lsm=selinux,!apparmor,yama > > is best as a single explicit enable list, and it would be best to avoid > lsm.disable as it just introduces confusion. > > I do think per-LSM bootparams looses the advantages of centralization, > and still requires the user to know some Kconfig info but it also gets > rid of the lsm.disable confusion. > > With ordering separated out from being enabled there is a certain > cleanness to it. And perhaps most users are looking to enable/disable > a single lsm, instead of specifying exactly what security they want > on their system. > > If we were to go this route I would rather drop the lsm. prefix > > > > I think the current proposal (in the other thread) is likely the > > sanest approach: > > > > - Drop CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE > > - Drop CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE > > - All enabled LSMs are listed at build-time in CONFIG_LSM_ENABLE > > Hrrmmm isn't this a Kconfig selectable list, with each built-in LSM > available to be enabled by default at boot. > > > - Boot time enabling for selinux= and apparmor= remain > > - lsm.enable= is explicit: overrides above and omissions are disabled > wfm > > > - maybe include lsm.disable= to disable anything > -- James Morris