Re: [PATCH 1/3] Wire up the lsm_manage_policy syscall

[PATCH 0/3] lsm: introduce lsm_manage_policy() syscall · Maxime Bélair <hidden> · 2025-05-06
[PATCH 3/3] AppArmor: add support for lsm_manage_policy · Maxime Bélair <hidden> · 2025-05-06
[PATCH 1/3] Wire up the lsm_manage_policy syscall · Maxime Bélair <hidden> · 2025-05-06
Re: [PATCH 1/3] Wire up the lsm_manage_policy syscall · Song Liu <song@kernel.org> · 2025-05-07
Re: [PATCH 1/3] Wire up the lsm_manage_policy syscall · Maxime Bélair <hidden> · 2025-05-07
Re: [PATCH 1/3] Wire up the lsm_manage_policy syscall · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2025-05-07
Re: [PATCH 1/3] Wire up the lsm_manage_policy syscall · John Johansen <john.johansen@canonical.com> · 2025-05-08
Re: [PATCH 1/3] Wire up the lsm_manage_policy syscall · Mickaël Salaün <mic@digikod.net> · 2025-05-09
Re: [PATCH 1/3] Wire up the lsm_manage_policy syscall · John Johansen <john.johansen@canonical.com> · 2025-05-11
Re: [PATCH 1/3] Wire up the lsm_manage_policy syscall · Song Liu <song@kernel.org> · 2025-05-08
Re: [PATCH 1/3] Wire up the lsm_manage_policy syscall · John Johansen <john.johansen@canonical.com> · 2025-05-08
Re: [PATCH 1/3] Wire up the lsm_manage_policy syscall · Mickaël Salaün <mic@digikod.net> · 2025-05-09
Re: [PATCH 1/3] Wire up the lsm_manage_policy syscall · John Johansen <john.johansen@canonical.com> · 2025-05-11
Re: [PATCH 1/3] Wire up the lsm_manage_policy syscall · Mickaël Salaün <mic@digikod.net> · 2025-05-12
Re: [PATCH 1/3] Wire up the lsm_manage_policy syscall · John Johansen <john.johansen@canonical.com> · 2025-05-17
Re: [PATCH 1/3] Wire up the lsm_manage_policy syscall · John Johansen <john.johansen@canonical.com> · 2025-05-08
Re: [PATCH 1/3] Wire up the lsm_manage_policy syscall · kernel test robot <hidden> · 2025-05-07
[PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · Maxime Bélair <hidden> · 2025-05-06
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · Song Liu <song@kernel.org> · 2025-05-07
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · Maxime Bélair <hidden> · 2025-05-07
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · John Johansen <john.johansen@canonical.com> · 2025-05-08
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2025-05-07
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · Maxime Bélair <hidden> · 2025-05-07
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · Paul Moore <paul@paul-moore.com> · 2025-05-07
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · John Johansen <john.johansen@canonical.com> · 2025-05-08
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · Casey Schaufler <casey@schaufler-ca.com> · 2025-05-08
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · Mickaël Salaün <mic@digikod.net> · 2025-05-09
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · Casey Schaufler <casey@schaufler-ca.com> · 2025-05-09
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · John Johansen <john.johansen@canonical.com> · 2025-05-11
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · John Johansen <john.johansen@canonical.com> · 2025-05-11
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · John Johansen <john.johansen@canonical.com> · 2025-05-08
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2025-05-08
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · John Johansen <john.johansen@canonical.com> · 2025-05-08
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2025-05-08
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · John Johansen <john.johansen@canonical.com> · 2025-05-09
Re: [PATCH 2/3] lsm: introduce security_lsm_manage_policy hook · kernel test robot <hidden> · 2025-05-07

From: Song Liu <song@kernel.org>
Date: 2025-05-07 06:26:33
Also in: linux-api, lkml

On Tue, May 6, 2025 at 7:40 AM Maxime Bélair
[off-list ref] wrote:

Add support for the new lsm_manage_policy syscall, providing a unified
API for loading and modifying LSM policies without requiring the LSM’s
pseudo-filesystem.

Benefits:
  - Works even if the LSM pseudo-filesystem isn’t mounted or available
    (e.g. in containers)
  - Offers a logical and unified interface rather than multiple
    heterogeneous pseudo-filesystems.

These two do not feel like real benefits:
- Not working in containers is often not an issue, but a feature.
- One syscall cannot fit all use cases well...

  - Avoids overhead of other kernel interfaces for better efficiency

.. and it is is probably less efficient, because everything need to
fit in the same API.

Overall, this set doesn't feel like a good change to me.

Thanks,
Song

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help