[PATCH 23/27] bpf: Restrict kernel image access functions when the kernel is locked down

Matthew Garrett mjg59 at google.com
Tue Mar 26 20:19:10 UTC 2019

On Tue, Mar 26, 2019 at 11:57 AM James Morris <jmorris at namei.org> wrote:
> - Assign an ID to each lockdown point
> - Implement a policy mechanism where each ID is mapped to 0 or 1
> - Allow this policy to be specified statically or dynamically

One of the problems with this approach is what the default behaviour
should be when a new feature is added. If an admin fails to notice
that there's now a new policy element, they run the risk of kernel
integrity being compromised via the new feature even if the rest of
the kernel is locked down.

More information about the Linux-security-module-archive mailing list