Enable TOMOYO by default

GrapheneOS / linux-hardened

Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.freenode.net ##linux-hardened. Currently maintained at https://github.com/anthraxx/linux-hardened.

https://grapheneos.org/

Other

390 stars 102 forks source link

Enable TOMOYO by default #39

Closed x4rxes closed 7 years ago

x4rxes commented 7 years ago

Used to be on linux-grsec.

thestinger commented 7 years ago

That's outside the scope of this project, it's a downstream packaging choice.

dbaxa commented 7 years ago

@thestinger do you consider enabling yama a downstream packaging choice as well?

thestinger commented 7 years ago

Yama doesn't require userspace integration. On the other hand enabling TOMOYO by default here wouldn't accomplish anything and doesn't make any sense. Regardless, changing the defaults here doesn't actively change downstream configuration and isn't important. It only impacts the defaults in freshly generated configuration, not a new configuration derived from a previous one. Configuration is always going to be a downstream choice. It isn't going to be forced unless there's truly no reason to have something available as a configuration option.

Atavic commented 6 years ago

Right, TOMOYO, as any Mandatory Access Control, requires the active use of its Policy Editor: the default profile "0", also known as "Disabled Mode", is completely unrestricted.