LSM: Ignore "security=" when "lsm=" is specified (89a9684e) · Commits · 戴 / test

Documentation/admin-guide/kernel-parameters.txt

+4 −6

Original line number	Diff line number	Diff line
		@@ -2321,7 +2321,7 @@

		lsm=lsm1,...,lsmN
		[SECURITY] Choose order of LSM initialization. This
		overrides CONFIG_LSM.
		overrides CONFIG_LSM, and the "security=" parameter.

		machvec= [IA-64] Force the use of a particular machine-vector
		(machvec) in a generic kernel.
		@@ -4094,11 +4094,9 @@
		Note: increases power consumption, thus should only be
		enabled if running jitter sensitive (HPC/RT) workloads.

		security= [SECURITY] Choose a security module to enable at boot.
		If this boot parameter is not specified, only the first
		security module asking for security registration will be
		loaded. An invalid security module name will be treated
		as if no module has been chosen.
		security= [SECURITY] Choose a legacy "major" security module to
		enable at boot. This has been deprecated by the
		"lsm=" parameter.

		selinux= [SELINUX] Disable or enable SELinux at boot time.
		Format: { "0" \| "1" }

+6 −2

Original line number	Diff line number	Diff line
		@@ -288,9 +288,13 @@ static void __init ordered_lsm_init(void)
		ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms),
		GFP_KERNEL);

		if (chosen_lsm_order)
		if (chosen_lsm_order) {
		if (chosen_major_lsm) {
		pr_info("security= is ignored because it is superseded by lsm=\n");
		chosen_major_lsm = NULL;
		}
		ordered_lsm_parse(chosen_lsm_order, "cmdline");
		else
		} else
		ordered_lsm_parse(builtin_lsm_order, "builtin");

		for (lsm = ordered_lsms; *lsm; lsm++)