On Mon, Nov 20, 2023 at 8:28 AM Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote: > > This functionality will be used by TOMOYO security module. > > In order to officially use an LSM module, that LSM module has to be > built into vmlinux. This limitation has been a big barrier for allowing > distribution kernel users to use LSM modules which the organization who > builds that distribution kernel cannot afford supporting [1]. Therefore, > I've been asking for ability to append LSM hooks from LKM-based LSMs so > that distribution kernel users can use LSMs which the organization who > builds that distribution kernel cannot afford supporting. It doesn't really matter for this discussion, but based on my days working for a Linux distro company I would be very surprised if a commercial distro would support a system running unapproved third-party kernel modules. We've talked a lot about this core problem and I maintain that it is still a disto problem and not something I'm really concerned about upstream. -- paul-moore.com
