1 files changed, 38 insertions, 0 deletions
diff --git a/security/Kconfig b/security/Kconfig
index 1d6463fb1450..353cfef71d4e 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -239,8 +239,46 @@ source "security/safesetid/Kconfig"
 source "security/integrity/Kconfig"
+choice
+        prompt "First legacy 'major LSM' to be initialized"
+        default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
+        default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
+        default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
+        default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
+        default DEFAULT_SECURITY_DAC
+        help
+          This choice is there only for converting CONFIG_DEFAULT_SECURITY
+          in old kernel configs to CONFIG_LSM in new kernel configs. Don't
+          change this choice unless you are creating a fresh kernel config,
+          for this choice will be ignored after CONFIG_LSM has been set.
+          Selects the legacy "major security module" that will be
+          initialized first. Overridden by non-default CONFIG_LSM.
+        config DEFAULT_SECURITY_SELINUX
+                bool "SELinux" if SECURITY_SELINUX=y
+        config DEFAULT_SECURITY_SMACK
+                bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
+        config DEFAULT_SECURITY_TOMOYO
+                bool "TOMOYO" if SECURITY_TOMOYO=y
+        config DEFAULT_SECURITY_APPARMOR
+                bool "AppArmor" if SECURITY_APPARMOR=y
+        config DEFAULT_SECURITY_DAC
+                bool "Unix Discretionary Access Controls"
+endchoice
 config LSM
        string "Ordered list of enabled LSMs"
+        default "yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK
+        default "yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR
+        default "yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO
+        default "yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC
        default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
        help
          A comma-separated list of LSMs, in initialization order.

diff --git a/security/Kconfig b/security/Kconfig index 1d6463fb1450..353cfef71d4e 100644 --- a/security/Kconfig +++ b/security/Kconfig
@@ -239,8 +239,46 @@ source "security/safesetid/Kconfig"
239		239
240	source "security/integrity/Kconfig"	240	source "security/integrity/Kconfig"
241		241
		242	choice
		243	prompt "First legacy 'major LSM' to be initialized"
		244	default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
		245	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
		246	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
		247	default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
		248	default DEFAULT_SECURITY_DAC
		249
		250	help
		251	This choice is there only for converting CONFIG_DEFAULT_SECURITY
		252	in old kernel configs to CONFIG_LSM in new kernel configs. Don't
		253	change this choice unless you are creating a fresh kernel config,
		254	for this choice will be ignored after CONFIG_LSM has been set.
		255
		256	Selects the legacy "major security module" that will be
		257	initialized first. Overridden by non-default CONFIG_LSM.
		258
		259	config DEFAULT_SECURITY_SELINUX
		260	bool "SELinux" if SECURITY_SELINUX=y
		261
		262	config DEFAULT_SECURITY_SMACK
		263	bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
		264
		265	config DEFAULT_SECURITY_TOMOYO
		266	bool "TOMOYO" if SECURITY_TOMOYO=y
		267
		268	config DEFAULT_SECURITY_APPARMOR
		269	bool "AppArmor" if SECURITY_APPARMOR=y
		270
		271	config DEFAULT_SECURITY_DAC
		272	bool "Unix Discretionary Access Controls"
		273
		274	endchoice
		275
242	config LSM	276	config LSM
243	string "Ordered list of enabled LSMs"	277	string "Ordered list of enabled LSMs"
		278	default "yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" if DEFAULT_SECURITY_SMACK
		279	default "yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" if DEFAULT_SECURITY_APPARMOR
		280	default "yama,loadpin,safesetid,integrity,tomoyo" if DEFAULT_SECURITY_TOMOYO
		281	default "yama,loadpin,safesetid,integrity" if DEFAULT_SECURITY_DAC
244	default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"	282	default "yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
245	help	283	help
246	A comma-separated list of LSMs, in initialization order.	284	A comma-separated list of LSMs, in initialization order.