On Fri, Sep 24, 2021 at 12:38 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > I would vote for just removing it rather than basically duplicating > the Lockdown LSM functionality. /me records the vote > (Well... I *tried* to make this thing work, but it really feels like > too much hassle to reasonably tweak all the existing callers to > fulfill the SELinux expectations to be worth it. I admit I'll be kind > of relieved to see the lockdown class go - it brought me nothing but > pain :) It would be a nice feature if done right, but that would have > to be a new patch that somehow deals with all the intricacies... > Either someone finds enough motivation to do it, or it just shouldn't > be there, IMHO.) I'm really only willing to entertain one of two options here: 1) stick to a lockdown-esque, always kernel_t hook or 2) remove the SELinux hook implementation. Anyone who sends me a patch doing something else is likely going to see it NACK'd as soon as I check my email. Maybe I'll soften my stance on this in a year or two, but I *really* don't like having email exchanges with Linus like what I had this week. -- paul moore www.paul-moore.com
