Merge tag 'lsm-pr-20230420' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm

[linux-block.git] / security / Kconfig

diff --git a/security/Kconfig b/security/Kconfig
index 9009893fb3f5f2726b50ef33b7e81b42057f347c..cbf9bbc86b9c381010ea326ccda5ccdc760d3e8a 100644 (file)
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -241,15 +241,17 @@ endchoice
 
 config LSM
        string "Ordered list of enabled LSMs"
-       default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
-       default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
-       default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
-       default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC
-       default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
+       default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK
+       default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR
+       default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO
+       default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC
+       default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf"
        help
          A comma-separated list of LSMs, in initialization order.
-         Any LSMs left off this list will be ignored. This can be
-         controlled at boot with the "lsm=" parameter.
+         Any LSMs left off this list, except for those with order
+         LSM_ORDER_FIRST and LSM_ORDER_LAST, which are always enabled
+         if selected in the kernel configuration, will be ignored.
+         This can be controlled at boot with the "lsm=" parameter.
 
          If unsure, leave this as the default.