On Wed, Mar 27, 2019 at 2:05 PM Tetsuo Handa <penguin-ker...@i-love.sakura.ne.jp> wrote: > > On 2019/03/28 5:45, Kees Cook wrote: > > On Wed, Mar 27, 2019 at 1:30 PM Tetsuo Handa > > <penguin-ker...@i-love.sakura.ne.jp> wrote: > >> > >> On 2019/03/28 4:16, Kees Cook wrote: > >>> The part I don't understand is what you've said about TOMOYO being > >>> primary and not wanting the others stackable? That kind of goes > >>> against the point, but I'm happy to do that if you want it that way. > >> > >> Automatically enabling multiple legacy major LSMs might result in a > >> confusion like > >> Jakub encountered. > > > > The confusion wasn't multiple enabled: it was a change of what was > > enabled (due to ignoring the old config). (My very first suggested > > patch fixed this...) > > Someone else might get confused when TOMOYO is automatically enabled > despite they did not specify TOMOYO in lsm= or security= or CONFIG_LSM. > > > > >> For a few releases from 5.1 (about one year or so?), since > >> CONFIG_DEFAULT_SECURITY_* will be ignored after CONFIG_LSM is once defined > >> in > >> their kernel configs, I guess that it is better not to enable TOMOYO > >> automatically > >> until most people complete migrating from CONFIG_DEFAULT_SECURITY_* to > >> CONFIG_LSM > >> and get used to use lsm= kernel command line option rather than security= > >> kernel > >> command line option. > > > > It sounds like you want TOMOYO to stay an exclusive LSM? Should we > > revert a5e2fe7ede12 ("TOMOYO: Update LSM flags to no longer be > > exclusive") instead? (I'm against this idea, but defer to you. I think > > it should stay stackable since the goal is to entirely remove the > > concept of exclusive LSMs.) > > I never want to revert a5e2fe7ede12. For transition period, I just don't > want to automatically enable TOMOYO when people did not specify TOMOYO. > > > > > I don't see problems for an exclusive LSM user (AA, SELinux, Smack) > > also initializing TOMOYO, though. It should be a no-op. Is there some > > situation where this is not true? > > There should be no problem except some TOMOYO messages are printed.
Okay, so I should send my latest version of the patch to James? Or do you explicitly want TOMOYO removed from all the CONFIG_LSM default lines except when selected by CONFIG_DEFAULT_SECURITY_TOMOYO? (I worry the latter will lead to less testing of the stacking.) -- Kees Cook