On 9/15/2018 5:30 PM, Kees Cook wrote: > To prepare for having a third type of LSM ("shared blob"), this implements > dynamic handling of LSM ordering. The visible change here is that the > "security=" boot commandline is now a comma-separated ordered list of > all LSMs, not just the single "exclusive" LSM. This means that the > "minor" LSMs can now be disabled at boot time by omitting them from the > commandline. Additionally LSM ordering becomes entirely mutable for LSMs > with LSM_ORDER_MUTABLE ("capability" is not mutable and is always enabled > first).
Today if I have Yama enabled and use security=apparmor I get a module list of capability,yama,apparmor. With this change I would get a different result, capability,apparmor. I am personally OK with this, but I think others may see it as a violation of compatibility. One solution is to leave security= as is, not affecting "minor" modules and only allowing specification of one major module, and adding another boot option security.stack= that overrides a security= option and that takes the list as you've implemented here. An icky alternative would be to say that any security= specification with no commas in it retains the old behavior. So security=apparmor security=apparmor, would get you capability,yama,apparmor capability,apparmor respectively. Another option would be to require negation on the minor modules, such as security=apparmor,-loadpin I can't honestly say which I like least or best.