@@ -2044,7 +2044,7 @@ extern void security_add_hooks(struct security_hook_list *hooks, int count,
struct lsm_info {
const char *name; /* Required. */
unsigned long flags; /* Optional: flags describing LSM */
- int *enabled; /* Optional: NULL means enabled. */
+ int *enabled; /* Optional: NULL checks CONFIG_LSM_ENABLE */
int (*init)(void); /* Required. */
};
@@ -276,5 +276,13 @@ config DEFAULT_SECURITY
default "apparmor" if DEFAULT_SECURITY_APPARMOR
default "" if DEFAULT_SECURITY_DAC
+config LSM_ENABLE
+ string "LSMs to enable at boot time"
+ default "all"
+ help
+ A comma-separated list of LSMs to enable by default at boot. The
+ default is "all", to enable all LSM modules at boot. Any LSMs
+ not listed here will be disabled by default.
+
endmenu
@@ -45,6 +45,8 @@ char *lsm_names;
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
CONFIG_DEFAULT_SECURITY;
+static __initconst const char * const builtin_lsm_enable = CONFIG_LSM_ENABLE;
+
static __initdata bool debug;
#define init_debug(...) \
do { \
@@ -182,7 +184,7 @@ static void __init parse_lsm_enable(const char *str,
static void __init prepare_lsm_enable(void)
{
/* Prepare defaults. */
- parse_lsm_enable("all", default_enabled, true);
+ parse_lsm_enable(builtin_lsm_enable, default_enabled, true);
}
/**