On Thu, Nov 2, 2023 at 10:42 AM Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote: > > I didn't get your response on https://lkml.kernel.org/r/c588ca5d-c343-4ea2-a1f1-4efe67ebb8e3@xxxxxxxxxxxxxxxxxxx . > > Do you agree that we cannot replace LKM-based LSMs with eBPF-based access control mechanisms, > and do you admit that this series makes LKM-based LSMs more difficult to use? If you want to do a proper in-tree version of dynamic LSMs. There can be an exported symbol that allocates a dynamic slot and registers LSM hooks to it. This is very doable, but it's not my use case so, I am not going to do it. No it does not make LKM based LSMs difficult to use. I am not ready to have that debate again. I suggested multiple extensions in my replies which you chose to ignore. Regarding BPF it's very much possible, as I suggested many times, you need to rethink about it in terms of implementing policy and not try to dump the whole code and interface into BPF and expect it to work. It will need some design work and that's on you. We can help you, we can also take patches for anything BPF would need to make stuff work (I don't see anything obvious needed yet). But we surely won't write the code for you. >
