‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, October 12, 2018 1:09 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: > We've had things sort of like this proposed, but if you can convince > James and others, I'm all for it. I think the standing objection from > James and John about this is that the results of booting with > "lsm=something" ends up depending on CONFIG_LSM= for that distro. So > you end up with different behaviors instead of a consistent behavior > across all distros. > Ok, I'll try :) The final lsm string contains two parts: Kconfig "CONFIG_LSM=" and boot param "lsm=". Changing even only one of those parts also changes the final string. In case of distros, it's the "CONFIG_LSM=" which changes. Even when "lsm=" stays constant, the behavior will be different, example: Distro A has: CONFIG_LSM=loadpin,integrity,selinux Distro B has CONFIG_LSM=yama,loadpin,integrity,selinux User on distro A wants to enable apparmor with: lsm=loadpin,integrity,apparmor which they do and add it to howto on wiki. User on distro B want to enable apparmor, they found info on some wiki and do: lsm=loadpin,integrity,apparmor Puff, yama got disabled! Above example shows why I think "consistent behavior across all distros" argument for current approach is flawed - because distros aren't consistent. In my proposition the user will just use "lsm=apparmor" and it will consistently enable apparmor on all distros which is what they really wanted, but all pre-existing differences across distros will remain unchanged. The current approach requires that everyone who dares to touch "lsm=" knows about existence of all lsm, their enabled/disabled status on target distro and their order. I doubt there are many people other than recipients of this mail who fit for the above. I it's better to assume that average user has rather vague knowledge about lsm and don't delve deep into Kconfig's of their chosen distro. If they want to use "lsm=" their goal is to disable/enable on or more things. My proposition will work better for those. More advanced users still will may pass any "lsm=" string as they like, this having full control. Jordan
