[apparmor] [PATCH 08/36] apparmor: provide the ability to boot with a default profile set on init

[Seth Arnold]

On Wed, May 01, 2013 at 02:30:53PM -0700, John Johansen wrote:
> --- a/security/apparmor/Kconfig
> +++ b/security/apparmor/Kconfig
> @@ -29,3 +29,14 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
>  	  boot.
>  
>  	  If you are unsure how to answer this question, answer 1.
> +
> +config SECURITY_APPARMOR_UNCONFINED_INIT
> +	bool "Set init to unconfined on boot"
> +	depends on SECURITY_APPARMOR
> +	default y
> +	help
> +	  This option determines policy behavior during early boot by
> +	  placing the init process in the unconfined state, or the
> +	  'default' profile.
> +
> +	  If you are unsure how to answer this question, answer Y.

I think this description needs some enhancement; I thought the boolean
was the other way around until I thought I spotted a bug with a ! in
the conditionals.

How about:

> +	  This option determines policy behavior during early boot by
> +	  placing the init process in the unconfined state, or the
> +	  'default' profile.
> +
> +       'Y' means init and its children are not confined, and never
> +       can be confined; loaded policy will only apply to processes
> +       started afterwards.
> +
> +       'N' means init and its children are confined in a profile
> +       named 'default', which can be replaced later and thus
> +       provide for confining even processes started early at boot,
> +       though not confined during early boot. This can provide for
> +       complete system confinement.
> +
> +	  If you are unsure how to answer this question, answer Y.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130508/a2a9c4ae/attachment.pgp>