diff options
| -rw-r--r-- | security/Kconfig | 32 | ||||
| -rw-r--r-- | security/security.c | 9 |
2 files changed, 38 insertions, 3 deletions
diff --git a/security/Kconfig b/security/Kconfig index aeea8c2bb59..95cc08913ca 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -152,5 +152,37 @@ source security/tomoyo/Kconfig source security/integrity/ima/Kconfig +choice + prompt "Default security module" + default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX + default DEFAULT_SECURITY_SMACK if SECURITY_SMACK + default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO + default DEFAULT_SECURITY_DAC + + help + Select the security module that will be used by default if the + kernel parameter security= is not specified. + + config DEFAULT_SECURITY_SELINUX + bool "SELinux" if SECURITY_SELINUX=y + + config DEFAULT_SECURITY_SMACK + bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y + + config DEFAULT_SECURITY_TOMOYO + bool "TOMOYO" if SECURITY_TOMOYO=y + + config DEFAULT_SECURITY_DAC + bool "Unix Discretionary Access Controls" + +endchoice + +config DEFAULT_SECURITY + string + default "selinux" if DEFAULT_SECURITY_SELINUX + default "smack" if DEFAULT_SECURITY_SMACK + default "tomoyo" if DEFAULT_SECURITY_TOMOYO + default "" if DEFAULT_SECURITY_DAC + endmenu diff --git a/security/security.c b/security/security.c index 684d5ee655d..aad71b2ca19 100644 --- a/security/security.c +++ b/security/security.c @@ -19,7 +19,8 @@ #include <linux/ima.h> /* Boot-time LSM user choice */ -static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1]; +static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = + CONFIG_DEFAULT_SECURITY; /* things that live in capability.c */ extern struct security_operations default_security_ops; @@ -80,8 +81,10 @@ __setup("security=", choose_lsm); * * Return true if: * -The passed LSM is the one chosen by user at boot time, - * -or user didn't specify a specific LSM and we're the first to ask - * for registration permission, + * -or the passed LSM is configured as the default and the user did not + * choose an alternate LSM at boot time, + * -or there is no default LSM set and the user didn't specify a + * specific LSM and we're the first to ask for registration permission, * -or the passed LSM is currently loaded. * Otherwise, return false. */ |