On 03/09/14 15:35, Mimi Zohar wrote: > On Wed, 2014-09-03 at 10:29 +0300, Dmitry Kasatkin wrote: >> Integrity subsystem got lots of options and takes more than half >> of security menu. >> >> This patch moves integrity subsystem options to a separate menu. >> It does not affect existing configuration. Re-configuration is >> not needed. >> >> Changes in v2: >> - previous patch moved integrity out of the 'security' menu. >> This version keeps integrity as a security option (Mimi). >> >> Signed-off-by: Dmitry Kasatkin <d.kasat...@samsung.com> >> --- >> security/integrity/Kconfig | 14 ++++++++++++-- >> security/integrity/evm/Kconfig | 9 +-------- >> security/integrity/ima/Kconfig | 3 +-- >> 3 files changed, 14 insertions(+), 12 deletions(-) >> >> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig >> index f79d853..a734a83 100644 >> --- a/security/integrity/Kconfig >> +++ b/security/integrity/Kconfig >> @@ -1,7 +1,13 @@ >> # >> config INTEGRITY >> - def_bool y >> - depends on IMA || EVM >> + bool "Integrity subsystem support" >> + depends on SECURITY >> + default y >> + >> +if INTEGRITY >> + >> +menu "Options" >> + > Instead of moving everything to a separate menu, I would leave the > ability to enable/disable IMA and EVM on the security page, but move > their options to separate pages. So unless someone wants to change the > default options, they're hidden. > > There are Kconfig examples for enabling the option in the parent > directory and clicking on the option brings up a separate menu (eg. NET, > WIRELESS).
Hi, I posted this patch already 3 times before. This is 4th time. In last post you answered: "Agreed, but this patch moves integrity out of the 'security' menu. The following keeps integrity as a security option." Now you tell me this? - Dmitry >> config INTEGRITY_SIGNATURE >> boolean "Digital signature verification using multiple keyrings" >> @@ -46,3 +52,7 @@ config INTEGRITY_AUDIT >> >> source security/integrity/ima/Kconfig >> source security/integrity/evm/Kconfig >> + >> +endmenu >> + >> +endif # if INTEGRITY >> diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig >> index d606f3d..df20a2f 100644 >> --- a/security/integrity/evm/Kconfig >> +++ b/security/integrity/evm/Kconfig >> @@ -1,6 +1,6 @@ >> config EVM >> boolean "EVM support" >> - depends on SECURITY >> + depends on INTEGRITY > By adding the "if INTEGRITY", the "depends on INTEGRITY" is redundant. > Please remove the depends here and in the other places. > > Mimi > >> select KEYS >> select ENCRYPTED_KEYS >> select CRYPTO_HMAC >> @@ -12,10 +12,6 @@ config EVM >> >> If you are unsure how to answer this question, answer N. >> >> -if EVM >> - >> -menu "EVM options" >> - >> config EVM_ATTR_FSUUID >> bool "FSUUID (version 2)" >> default y >> @@ -47,6 +43,3 @@ config EVM_EXTRA_SMACK_XATTRS >> additional info to the calculation, requires existing EVM >> labeled file systems to be relabeled. >> >> -endmenu >> - >> -endif >> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig >> index 08758fb..2477d1e 100644 >> --- a/security/integrity/ima/Kconfig >> +++ b/security/integrity/ima/Kconfig >> @@ -2,8 +2,7 @@ >> # >> config IMA >> bool "Integrity Measurement Architecture(IMA)" >> - depends on SECURITY >> - select INTEGRITY >> + depends on INTEGRITY >> select SECURITYFS >> select CRYPTO >> select CRYPTO_HMAC > > -- > To unsubscribe from this list: send the line "unsubscribe > linux-security-module" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
