On Wed, May 01, 2013 at 02:30:53PM -0700, John Johansen wrote: > --- a/security/apparmor/Kconfig > +++ b/security/apparmor/Kconfig > @@ -29,3 +29,14 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE > boot. > > If you are unsure how to answer this question, answer 1. > + > +config SECURITY_APPARMOR_UNCONFINED_INIT > + bool "Set init to unconfined on boot" > + depends on SECURITY_APPARMOR > + default y > + help > + This option determines policy behavior during early boot by > + placing the init process in the unconfined state, or the > + 'default' profile. > + > + If you are unsure how to answer this question, answer Y.
I think this description needs some enhancement; I thought the boolean was the other way around until I thought I spotted a bug with a ! in the conditionals. How about: > + This option determines policy behavior during early boot by > + placing the init process in the unconfined state, or the > + 'default' profile. > + > + 'Y' means init and its children are not confined, and never > + can be confined; loaded policy will only apply to processes > + started afterwards. > + > + 'N' means init and its children are confined in a profile > + named 'default', which can be replaced later and thus > + provide for confining even processes started early at boot, > + though not confined during early boot. This can provide for > + complete system confinement. > + > + If you are unsure how to answer this question, answer Y. Thanks
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
