summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--security/Kconfig32
-rw-r--r--security/security.c9
2 files changed, 38 insertions, 3 deletions
diff --git a/security/Kconfig b/security/Kconfig
index aeea8c2bb59c..95cc08913ca1 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -152,5 +152,37 @@ source security/tomoyo/Kconfig
source security/integrity/ima/Kconfig
+choice
+ prompt "Default security module"
+ default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
+ default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
+ default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
+ default DEFAULT_SECURITY_DAC
+
+ help
+ Select the security module that will be used by default if the
+ kernel parameter security= is not specified.
+
+ config DEFAULT_SECURITY_SELINUX
+ bool "SELinux" if SECURITY_SELINUX=y
+
+ config DEFAULT_SECURITY_SMACK
+ bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
+
+ config DEFAULT_SECURITY_TOMOYO
+ bool "TOMOYO" if SECURITY_TOMOYO=y
+
+ config DEFAULT_SECURITY_DAC
+ bool "Unix Discretionary Access Controls"
+
+endchoice
+
+config DEFAULT_SECURITY
+ string
+ default "selinux" if DEFAULT_SECURITY_SELINUX
+ default "smack" if DEFAULT_SECURITY_SMACK
+ default "tomoyo" if DEFAULT_SECURITY_TOMOYO
+ default "" if DEFAULT_SECURITY_DAC
+
endmenu
diff --git a/security/security.c b/security/security.c
index 684d5ee655da..aad71b2ca195 100644
--- a/security/security.c
+++ b/security/security.c
@@ -19,7 +19,8 @@
#include <linux/ima.h>
/* Boot-time LSM user choice */
-static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
+static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
+ CONFIG_DEFAULT_SECURITY;
/* things that live in capability.c */
extern struct security_operations default_security_ops;
@@ -80,8 +81,10 @@ __setup("security=", choose_lsm);
*
* Return true if:
* -The passed LSM is the one chosen by user at boot time,
- * -or user didn't specify a specific LSM and we're the first to ask
- * for registration permission,
+ * -or the passed LSM is configured as the default and the user did not
+ * choose an alternate LSM at boot time,
+ * -or there is no default LSM set and the user didn't specify a
+ * specific LSM and we're the first to ask for registration permission,
* -or the passed LSM is currently loaded.
* Otherwise, return false.
*/