On 2024/05/16 9:35, KP Singh wrote: > Since we know the address of the enabled LSM callbacks at compile time and only > the order is determined at boot time, the LSM framework can allocate static > calls for each of the possible LSM callbacks and these calls can be updated once > the order is determined at boot. I don't like this assumption. None of built-in LSMs is used by (or affordable for) my customers. There is a reality that only out-of-tree security modules which the distributor (namely, Red Hat) cannot support (and therefore cannot be built into RHEL kernels) are used by (or affordable for) such customers. Therefore, without giving room for allowing such security modules to load after boot, I consider this change a regression.
