On Mon, Feb 15, 2021 at 7:17 PM Mickaël Salaün <mic@xxxxxxxxxxx> wrote: > From: Mickaël Salaün <mic@xxxxxxxxxxxxxxxxxxx> > > Thanks to the previous commit, this gives the opportunity to users, when > running make oldconfig, to update the list of enabled LSMs at boot time > if an LSM has just been enabled or disabled in the build. Moreover, > this list only makes sense if at least one LSM is enabled. > > Cc: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> > Cc: James Morris <jmorris@xxxxxxxxx> > Cc: Masahiro Yamada <masahiroy@xxxxxxxxxx> > Cc: Serge E. Hallyn <serge@xxxxxxxxxx> > Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxxxxxxxxxx> > Link: https://lore.kernel.org/r/20210215181511.2840674-4-mic@xxxxxxxxxxx > --- > > Changes since v1: > * Add CONFIG_SECURITY as a dependency of CONFIG_LSM. This prevent an > error when building without any LSMs. > --- > security/Kconfig | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/security/Kconfig b/security/Kconfig > index 7561f6f99f1d..addcc1c04701 100644 > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -277,6 +277,10 @@ endchoice > > config LSM > string "Ordered list of enabled LSMs" > + depends on SECURITY || SECURITY_LOCKDOWN_LSM || SECURITY_YAMA || \ > + SECURITY_LOADPIN || SECURITY_SAFESETID || INTEGRITY || \ > + SECURITY_SELINUX || SECURITY_SMACK || SECURITY_TOMOYO || \ > + SECURITY_APPARMOR || BPF_LSM This looks really awkward, since all of these already depend on SECURITY (if not, it's a bug)... I guarantee you that after some time someone will come, see that the weird boolean expression is equivalent to just SECURITY, and simplify it. I assume the new mechanism wouldn't work as intended if there is just SECURITY? If not, then maybe you should rather specify this value dependency via some new field rather than abusing "depends on" (say, "value depends on"?). The fact that a seemingly innocent change to the config definition breaks your mechanism suggests that the design is flawed. I do think this would be a useful feature, but IMHO shouldn't be implemented like this. > default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK > default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR > default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO > -- > 2.30.0 > -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.