[PATCH v2 0/3] Allow individual features to be locked down
Nicolas Bouchinet
nicolas.bouchinet at oss.cyber.gouv.fr
Thu Aug 14 08:59:35 UTC 2025
Hi Nikolay,
After discussing with Xiu, we have decided not to accept this patchset.
The goal of Lockdown being to draw a clear line between ring-0 and uid-0,
having a more granular way to activate Lockdown will break it. Primarily
because most lockdown-reasons can be bypassed if used independently.
Even if the goal of Lockdown were to be redefined, we would need to ensure the
security interdependence between different lockdown-reasons. This is highly
tied to where people calls the `security_locked_down` hook and thus is out of
our maintenance scope.
Having coarse-grained lockdown reasons and integrity/confidentiality levels
allows us to ensure that all of the reasons are correctly locked down.
Best regards,
Nicolas
More information about the Linux-security-module-archive
mailing list