On Mon, Oct 1, 2018 at 4:30 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: > If we keep it, "apparmor=0 lsm_enable=apparmor" would mean it's > enabled. Is that okay? Actually, what the v3 series does right now is leaves AppArmor and SELinux alone -- whatever they configured for enable/disable is left alone. The problem I have is when processing CONFIG_LSM_ENABLE ... what do I do with the existing "enable" flag? It's set by both CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE and apparmor=0/1. Right now I can't tell the difference between someone booting with apparmor=0 or CONFIG_LSM_ENABLE not including apparmor. i.e. how do I mix CONFIG_LSM_ENABLE with apparmor=0/1? (assuming CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE has been removed) -Kees -- Kees Cook Pixel Security
