On Fri, 2011-05-13 at 11:10 -0400, Eric Paris wrote: > Then again, I certainly don't see a > reason that this syscall hardening patch should be held up while a whole > new concept in computer security is contemplated... Which makes me wonder why this syscall hardening stuff is done outside of LSM? Why isn't is part of the LSM so that say SELinux can have a syscall bitmask per security context? Making it part of the LSM also avoids having to add this prctl().