On Tue, May 07, 2024 at 09:45:09PM -0400, Paul Moore wrote: > I don't want individual LSMs manipulating the LSM hook state directly; > they go through the LSM layer to register their hooks, they should go > through the LSM layer to unregister or enable/disable their hooks. > I'm going to be pretty inflexible on this point. No other LSMs unregister or disable hooks. :) Let's drop patch 5; 1-4 stand alone. > Honestly, I see this more as a problem in the BPF LSM design (although > one might argue it's an implementation issue?), just as I saw the > SELinux runtime disable as a problem. If you're upset with the > runtime hook disable, and you should be, fix the BPF LSM, don't force > more bad architecture on the LSM layer. We'll have to come back to this later. It's a separate (but closely related) issue. -- Kees Cook
