On Thu, May 07, 2020 at 02:06:31PM -0400, Rafael Aquini wrote: > Another, perhaps less frequent, use for this option would be > as a mean for assuring a security policy (in paranoid mode) > case where no single taint is allowed for the running system. If used for this purpose then we must add a new TAINT flag for proc_taint() was used, otherwise we can cheat to show a taint *did* happen, where in fact it never happened, some punk just echo'd a value into the kernel's /proc/sys/kernel/tainted. Forunately proc_taint() only allows to *increment* the taint, not reduce. Luis
