On Thu, 27 Sep 2018, Dave Chinner wrote: > Sure, but there are so many CAP_SYS_ADMIN-only ioctls in the kernel > that have no LSM coverage that this is not an isolated problem that > people setting up such systems have to deal with. I could be missing something here, but all ioctls are mediated by LSM at a high level (security_file_ioctl). Some problematic ones are singled out at that point by LSMs for special handling. -- James Morris <jmorris@xxxxxxxxx>
