lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 9 Feb 2019 09:28:14 +0900 From: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp> To: Casey Schaufler <casey@...aufler-ca.com>, Kees Cook <keescook@...omium.org> Cc: Dmitry Vyukov <dvyukov@...gle.com>, Paul Moore <paul@...l-moore.com>, Stephen Smalley <sds@...ho.nsa.gov>, syzbot <syzbot+21016130b0580a9de3b5@...kaller.appspotmail.com>, tyhicks@...onical.com, John Johansen <john.johansen@...onical.com>, James Morris <jmorris@...ei.org>, LKML <linux-kernel@...r.kernel.org>, linux-security-module@...r.kernel.org, Serge Hallyn <serge@...lyn.com>, syzkaller-bugs <syzkaller-bugs@...glegroups.com>, Jeffrey Vander Stoep <jeffv@...gle.com>, SELinux <selinux@...r.kernel.org>, Russell Coker <russell@...er.com.au>, Laurent Bigonville <bigon@...ian.org>, syzkaller <syzkaller@...glegroups.com>, Andrew Morton <akpm@...ux-foundation.org> Subject: Re: [PATCH] LSM: Allow syzbot to ignore security= parameter. On 2019/02/09 1:23, Casey Schaufler wrote: > On 2/8/2019 2:52 AM, Tetsuo Handa wrote: >> To help administrators easily understand what LSM modules are possibly enabled by default (which >> have to be fetched from e.g. /boot/config-`uname -r`) > > $ cat /sys/kernel/security/lsm > /sys/kernel/security/lsm is list of "actually" enabled modules, isn't it? What I want is "possibly" enabled modules. Ubuntu would chose from either (a) explicitly add security=apparmor to kernel command line or (b) explicitly remove tomoyo from CONFIG_LSM at kernel config in order not to enable TOMOYO for those who want to enable only one of SELinux/Smack/AppArmor. And for those who want to enable TOMOYO, I think that (b) (in other words, add lsm="modules listed in CONFIG_LSM" + ",tomoyo" ) will retain compatibility when it becomes possible to enable more than one of SELinux/Smack/AppArmor at the same time. If we can know "possibly" enabled modules from dmesg, users don't need to look at e.g. /boot/config-`uname -r`. It is not essential, but it's handy.
Powered by blists - more mailing lists