On 5/30/2023 11:02 AM, Jeff Xu wrote: >>>> As I believe we are in the latter stages of review for the syscall >>>> API, perhaps you could take a look and ensure that the current >>>> proposed API works for what you are envisioning with Landlock? >>>> >>> Which review/patch to look for the proposed API ? >> https://lore.kernel.org/lkml/20230428203417.159874-3-casey@xxxxxxxxxxxxxxxx/T/ >> >> > How easy is it to add a customized LSM with new APIs? I haven't found it difficult, but that was in the pre-syscall era. Look at Landlock for an example of LSM specific syscalls, if you want to go that route. > I'm asking because there are some hard-coded constant/macro, i.e. > > +#define LSM_ID_LANDLOCK 111 > (Do IDs need to be sequential ?) No, but I would want a good reason for doing otherwise. > + define LSM_CONFIG_COUNT > > Today, only security/Kconfig change is needed to add a new LSM, I think ? That's correct. The syscall patches make it a trifle more difficult, requiring they be acknowledged in security.c. We could probably work around that, but it's really a small price to pay to get a constant value.
