Re: [RFC] Turn lockdown into an LSM

[RFC] Turn lockdown into an LSM · Matthew Garrett <hidden> · 2019-05-21
[RFC 1/2] security: Support early LSMs · Matthew Garrett <hidden> · 2019-05-21
[RFC 2/2] Add the ability to lock down access to the running kernel image · Matthew Garrett <hidden> · 2019-05-21
Re: [RFC 2/2] Add the ability to lock down access to the running kernel image · James Morris <jmorris@namei.org> · 2019-05-22
Re: [RFC] Turn lockdown into an LSM · James Morris <jmorris@namei.org> · 2019-05-22
Re: [RFC] Turn lockdown into an LSM · Matthew Garrett <hidden> · 2019-05-22
Re: [RFC] Turn lockdown into an LSM · Andy Lutomirski <luto@kernel.org> · 2019-05-22
Re: [RFC] Turn lockdown into an LSM · James Morris <jmorris@namei.org> · 2019-05-22
Re: [RFC] Turn lockdown into an LSM · Stephen Smalley <hidden> · 2019-05-22
Re: [RFC] Turn lockdown into an LSM · James Morris <jmorris@namei.org> · 2019-05-22
Re: [RFC] Turn lockdown into an LSM · Casey Schaufler <casey@schaufler-ca.com> · 2019-05-22
Re: [RFC] Turn lockdown into an LSM · Stephen Smalley <hidden> · 2019-05-22

From: Matthew Garrett <hidden>
Date: 2019-05-22 16:49:06
Also in: lkml

On Tue, May 21, 2019 at 7:40 PM James Morris [off-list ref] wrote:

An LSM could also potentially implement its own policy for the hook.

That was my plan. Right now the hook just gets an ASCII description of
the reason for the lockdown - that seems suboptimal for cases like
SELinux. What information would you want? My initial thinking was to
just have a stable enum of lockdown reasons that's in the UAPI headers
and then let other LSM tooling consume that, but I haven't spent
enough time with the internals of SELinux to know if there'd be a more
attractive solution.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help