On 9/21/2018 6:19 AM, John Johansen wrote: > On 09/20/2018 08:02 PM, Kees Cook wrote: >> On Thu, Sep 20, 2018 at 7:14 PM, John Johansen >> <john.johansen@xxxxxxxxxxxxx> wrote: >>> On 09/20/2018 07:05 PM, Kees Cook wrote: >>>> On Thu, Sep 20, 2018 at 6:39 PM, John Johansen >>>> <john.johansen@xxxxxxxxxxxxx> wrote: >>>> >>>> Yes, I like CONFIG_LSM_ENABLE if "empty" means "enable all". Should >>>> CONFIG_LSM_ENABLE replace all the other CONFIG-based LSM >>>> enabling/disabling? >>> I don't particularly like "empty" being "enable all". With that >>> how would I disable all builtin lsms so that I just boot with >>> capability. >>> >>> An option of all or even * is more explicit and leaves the empty >>> set to mean disable everything >> Okay, that works. I prefer "all" FWIW. >> > me too, I was just trying to throw out options. I'll buy that. "all" is fine by me, although it means we can't have an LSM named "all". :) We should also allow "none" to mean no LSMs. I know lots of people who love using security=none.
