On Tue, Mar 26, 2019 at 11:57 AM James Morris <jmorris@xxxxxxxxx> wrote: > - Assign an ID to each lockdown point > - Implement a policy mechanism where each ID is mapped to 0 or 1 > - Allow this policy to be specified statically or dynamically One of the problems with this approach is what the default behaviour should be when a new feature is added. If an admin fails to notice that there's now a new policy element, they run the risk of kernel integrity being compromised via the new feature even if the rest of the kernel is locked down.
