When CONFIG_SECURITY is not set, CONFIG_LSM (builtin_lsm_order) does
not need to be visible and settable since builtin_lsm_order is defined in
security.o, which is only built when CONFIG_SECURITY=y.

So make CONFIG_LSM depend on CONFIG_SECURITY.

Fixes: 13e735c0e953 ("LSM: Introduce CONFIG_LSM")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
---
Cc: Kees Cook <kees@kernel.org>
Cc: Paul Moore <paul@paul-moore.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: linux-security-module@vger.kernel.org

 security/Kconfig |    1 +
 1 file changed, 1 insertion(+)

--- linux-next-20250819.orig/security/Kconfig
+++ linux-next-20250819/security/Kconfig
@@ -269,6 +269,7 @@ endchoice
 
 config LSM
 	string "Ordered list of enabled LSMs"
+	depends on SECURITY
 	default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK
 	default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR
 	default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO

On Aug 24, 2025 Randy Dunlap <rdunlap@infradead.org> wrote:
> 
> When CONFIG_SECURITY is not set, CONFIG_LSM (builtin_lsm_order) does
> not need to be visible and settable since builtin_lsm_order is defined in
> security.o, which is only built when CONFIG_SECURITY=y.
> 
> So make CONFIG_LSM depend on CONFIG_SECURITY.
> 
> Fixes: 13e735c0e953 ("LSM: Introduce CONFIG_LSM")
> Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
> ---
> Cc: Kees Cook <kees@kernel.org>
> Cc: Paul Moore <paul@paul-moore.com>
> Cc: James Morris <jmorris@namei.org>
> Cc: "Serge E. Hallyn" <serge@hallyn.com>
> Cc: linux-security-module@vger.kernel.org
> 
>  security/Kconfig |    1 +
>  1 file changed, 1 insertion(+)

Merged into lsm/dev, thanks!

--
paul-moore.com