2 files changed, 42 insertions, 4 deletions
diff --git a/security/Kconfig b/security/Kconfig
index 1d6463fb1450..353cfef71d4e 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -239,8 +239,46 @@ source "security/safesetid/Kconfig"
 source "security/integrity/Kconfig"
+choice
+        prompt "First legacy 'major LSM' to be initialized"
+        default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
+        default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
+        default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
+        default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
+        default DEFAULT_SECURITY_DAC
+        help
+          This choice is there only for converting CONFIG_DEFAULT_SECURITY
+          in old kernel configs to CONFIG_LSM in new kernel configs. Don't
+          change this choice unless you are creating a fresh kernel config,
+          for this choice will be ignored after CONFIG_LSM has been set.
+          Selects the legacy "major security module" that will be
+          initialized first. Overridden by non-default CONFIG_LSM.
+        config DEFAULT_SECURITY_SELINUX
+                bool "SELinux" if SECURITY_SELINUX=y
+        config DEFAULT_SECURITY_SMACK
+                bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
+        config DEFAULT_SECURITY_TOMOYO
+                bool "TOMOYO" if SECURITY_TOMOYO=y
+        config DEFAULT_SECURITY_APPARMOR
+                bool "AppArmor" if SECURITY_APPARMOR=y
+        config DEFAULT_SECURITY_DAC
+                bool "Unix Discretionary Access Controls"
+endchoice
 config LSM
        string "Ordered list of enabled LSMs"
+        default "yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK
+        default "yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR
+        default "yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO
+        default "yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC
        default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
        help
          A comma-separated list of LSMs, in initialization order.
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 57cc60722dd3..efac68556b45 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -206,7 +206,7 @@ static void yama_ptracer_del(struct task_struct *tracer,
 * yama_task_free - check for task_pid to remove from exception list
 * @task: task being removed
 */
-void yama_task_free(struct task_struct *task)
+static void yama_task_free(struct task_struct *task)
 {
        yama_ptracer_del(task, task);
 }
@@ -222,7 +222,7 @@ void yama_task_free(struct task_struct *task)
 * Return 0 on success, -ve on error.  -ENOSYS is returned when Yama
 * does not handle the given option.
 */
-int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
+static int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
                           unsigned long arg4, unsigned long arg5)
 {
        int rc = -ENOSYS;
@@ -401,7 +401,7 @@ static int yama_ptrace_access_check(struct task_struct *child,
 *
 * Returns 0 if following the ptrace is allowed, -ve on error.
 */
-int yama_ptrace_traceme(struct task_struct *parent)
+static int yama_ptrace_traceme(struct task_struct *parent)
 {
        int rc = 0;
@@ -452,7 +452,7 @@ static int yama_dointvec_minmax(struct ctl_table *table, int write,
 static int zero;
 static int max_scope = YAMA_SCOPE_NO_ATTACH;
-struct ctl_path yama_sysctl_path[] = {
+static struct ctl_path yama_sysctl_path[] = {
        { .procname = "kernel", },
        { .procname = "yama", },
        { }

diff --git a/security/Kconfig b/security/Kconfig index 1d6463fb1450..353cfef71d4e 100644 --- a/security/Kconfig +++ b/security/Kconfig
@@ -239,8 +239,46 @@ source "security/safesetid/Kconfig"
239		239
240	source "security/integrity/Kconfig"	240	source "security/integrity/Kconfig"
241		241
		242	choice
		243	prompt "First legacy 'major LSM' to be initialized"
		244	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
		245	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
		246	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
		247	default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
		248	default DEFAULT_SECURITY_DAC
		249
		250	help
		251	This choice is there only for converting CONFIG_DEFAULT_SECURITY
		252	in old kernel configs to CONFIG_LSM in new kernel configs. Don't
		253	change this choice unless you are creating a fresh kernel config,
		254	for this choice will be ignored after CONFIG_LSM has been set.
		255
		256	Selects the legacy "major security module" that will be
		257	initialized first. Overridden by non-default CONFIG_LSM.
		258
		259	config DEFAULT_SECURITY_SELINUX
		260	bool "SELinux" if SECURITY_SELINUX=y
		261
		262	config DEFAULT_SECURITY_SMACK
		263	bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
		264
		265	config DEFAULT_SECURITY_TOMOYO
		266	bool "TOMOYO" if SECURITY_TOMOYO=y
		267
		268	config DEFAULT_SECURITY_APPARMOR
		269	bool "AppArmor" if SECURITY_APPARMOR=y
		270
		271	config DEFAULT_SECURITY_DAC
		272	bool "Unix Discretionary Access Controls"
		273
		274	endchoice
		275
242	config LSM	276	config LSM
243	string "Ordered list of enabled LSMs"	277	string "Ordered list of enabled LSMs"
		278	default "yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK
		279	default "yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR
		280	default "yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO
		281	default "yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC
244	default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"	282	default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
245	help	283	help
246	A comma-separated list of LSMs, in initialization order.	284	A comma-separated list of LSMs, in initialization order.


diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index 57cc60722dd3..efac68556b45 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c
@@ -206,7 +206,7 @@ static void yama_ptracer_del(struct task_struct *tracer,
206	* yama_task_free - check for task_pid to remove from exception list	206	* yama_task_free - check for task_pid to remove from exception list
207	* @task: task being removed	207	* @task: task being removed
208	*/	208	*/
209	void yama_task_free(struct task_struct *task)	209	static void yama_task_free(struct task_struct *task)
210	{	210	{
211	yama_ptracer_del(task, task);	211	yama_ptracer_del(task, task);
212	}	212	}
@@ -222,7 +222,7 @@ void yama_task_free(struct task_struct *task)
222	* Return 0 on success, -ve on error. -ENOSYS is returned when Yama	222	* Return 0 on success, -ve on error. -ENOSYS is returned when Yama
223	* does not handle the given option.	223	* does not handle the given option.
224	*/	224	*/
225	int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,	225	static int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
226	unsigned long arg4, unsigned long arg5)	226	unsigned long arg4, unsigned long arg5)
227	{	227	{
228	int rc = -ENOSYS;	228	int rc = -ENOSYS;
@@ -401,7 +401,7 @@ static int yama_ptrace_access_check(struct task_struct *child,
401	*	401	*
402	* Returns 0 if following the ptrace is allowed, -ve on error.	402	* Returns 0 if following the ptrace is allowed, -ve on error.
403	*/	403	*/
404	int yama_ptrace_traceme(struct task_struct *parent)	404	static int yama_ptrace_traceme(struct task_struct *parent)
405	{	405	{
406	int rc = 0;	406	int rc = 0;
407		407
@@ -452,7 +452,7 @@ static int yama_dointvec_minmax(struct ctl_table *table, int write,
452	static int zero;	452	static int zero;
453	static int max_scope = YAMA_SCOPE_NO_ATTACH;	453	static int max_scope = YAMA_SCOPE_NO_ATTACH;
454		454
455	struct ctl_path yama_sysctl_path[] = {	455	static struct ctl_path yama_sysctl_path[] = {
456	{ .procname = "kernel", },	456	{ .procname = "kernel", },
457	{ .procname = "yama", },	457	{ .procname = "yama", },
458	{ }	458	{ }