1 files changed, 9 insertions, 36 deletions
diff --git a/security/Kconfig b/security/Kconfig
index e4fe2f3c2c65..1d6463fb1450 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -40,8 +40,7 @@ config SECURITYFS
        bool "Enable the securityfs filesystem"
        help
          This will build the securityfs filesystem.  It is currently used by
-          the TPM bios character driver and IMA, an integrity provider.  It is
+          various security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM).
-          not used by SELinux or SMACK.
          If you are unsure how to answer this question, answer N.
@@ -236,45 +235,19 @@ source "security/tomoyo/Kconfig"
 source "security/apparmor/Kconfig"
 source "security/loadpin/Kconfig"
 source "security/yama/Kconfig"
+source "security/safesetid/Kconfig"
 source "security/integrity/Kconfig"
-choice
+config LSM
-        prompt "Default security module"
+        string "Ordered list of enabled LSMs"
-        default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
+        default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
-        default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
-        default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
-        default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
-        default DEFAULT_SECURITY_DAC
        help
-          Select the security module that will be used by default if the
+          A comma-separated list of LSMs, in initialization order.
-          kernel parameter security= is not specified.
+          Any LSMs left off this list will be ignored. This can be
+          controlled at boot with the "lsm=" parameter.
-        config DEFAULT_SECURITY_SELINUX
-                bool "SELinux" if SECURITY_SELINUX=y
-        config DEFAULT_SECURITY_SMACK
-                bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
-        config DEFAULT_SECURITY_TOMOYO
-                bool "TOMOYO" if SECURITY_TOMOYO=y
-        config DEFAULT_SECURITY_APPARMOR
-                bool "AppArmor" if SECURITY_APPARMOR=y
-        config DEFAULT_SECURITY_DAC
-                bool "Unix Discretionary Access Controls"
-endchoice
-config DEFAULT_SECURITY
+          If unsure, leave this as the default.
-        string
-        default "selinux" if DEFAULT_SECURITY_SELINUX
-        default "smack" if DEFAULT_SECURITY_SMACK
-        default "tomoyo" if DEFAULT_SECURITY_TOMOYO
-        default "apparmor" if DEFAULT_SECURITY_APPARMOR
-        default "" if DEFAULT_SECURITY_DAC
 endmenu

diff --git a/security/Kconfig b/security/Kconfig index e4fe2f3c2c65..1d6463fb1450 100644 --- a/security/Kconfig +++ b/security/Kconfig
@@ -40,8 +40,7 @@ config SECURITYFS
40	bool "Enable the securityfs filesystem"	40	bool "Enable the securityfs filesystem"
41	help	41	help
42	This will build the securityfs filesystem. It is currently used by	42	This will build the securityfs filesystem. It is currently used by
43	the TPM bios character driver and IMA, an integrity provider. It is	43	various security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM).
44	not used by SELinux or SMACK.
45		44
46	If you are unsure how to answer this question, answer N.	45	If you are unsure how to answer this question, answer N.
47		46
@@ -236,45 +235,19 @@ source "security/tomoyo/Kconfig"
236	source "security/apparmor/Kconfig"	235	source "security/apparmor/Kconfig"
237	source "security/loadpin/Kconfig"	236	source "security/loadpin/Kconfig"
238	source "security/yama/Kconfig"	237	source "security/yama/Kconfig"
		238	source "security/safesetid/Kconfig"
239		239
240	source "security/integrity/Kconfig"	240	source "security/integrity/Kconfig"
241		241
242	choice	242	config LSM
243	prompt "Default security module"	243	string "Ordered list of enabled LSMs"
244	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX	244	default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
245	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
246	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
247	default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
248	default DEFAULT_SECURITY_DAC
249
250	help	245	help
251	Select the security module that will be used by default if the	246	A comma-separated list of LSMs, in initialization order.
252	kernel parameter security= is not specified.	247	Any LSMs left off this list will be ignored. This can be
253		248	controlled at boot with the "lsm=" parameter.
254	config DEFAULT_SECURITY_SELINUX
255	bool "SELinux" if SECURITY_SELINUX=y
256
257	config DEFAULT_SECURITY_SMACK
258	bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
259
260	config DEFAULT_SECURITY_TOMOYO
261	bool "TOMOYO" if SECURITY_TOMOYO=y
262
263	config DEFAULT_SECURITY_APPARMOR
264	bool "AppArmor" if SECURITY_APPARMOR=y
265
266	config DEFAULT_SECURITY_DAC
267	bool "Unix Discretionary Access Controls"
268
269	endchoice
270		249
271	config DEFAULT_SECURITY	250	If unsure, leave this as the default.
272	string
273	default "selinux" if DEFAULT_SECURITY_SELINUX
274	default "smack" if DEFAULT_SECURITY_SMACK
275	default "tomoyo" if DEFAULT_SECURITY_TOMOYO
276	default "apparmor" if DEFAULT_SECURITY_APPARMOR
277	default "" if DEFAULT_SECURITY_DAC
278		251
279	endmenu	252	endmenu
280		253