An opinion about Linux security

Timur Chernykh tim.cherry.co at gmail.com
Wed Dec 10 00:15:39 UTC 2025 

Hello Linus,

I’m writing to ask for your opinion. What do you think about Linux’s
current readiness for security-focused commercial products? I’m
particularly interested in several areas.

First, in today’s 3rd-party (out-of-tree) EDR development — EDR being
the most common commercial class of security products — eBPF has
effectively become the main option. Yet eBPF is extremely restrictive.
It is not possible to write fully expressive real-time analysis code:
the verifier is overly strict, non-deterministic loops are not
allowed, and older kernels lack BTF support. These issues create real
limitations.

Second, the removal of the out-of-tree LSM API in the 4.x kernel
series caused significant problems for many AV/EDR vendors. I was
unable to find an explanation in the mailing lists that convincingly
justified that decision.

The next closest mechanism, fanotify, was a genuine improvement.
However, it does not allow an AV/EDR vendor to protect the integrity
of its own product. Is Linux truly expecting modern AV/EDR solutions
to rely on fanotify alone?

My main question is: what are the future plans? Linux provides very
few APIs for security and dynamic analysis. eBPF is still immature,
fanotify is insufficient, and driver workarounds that bypass kernel
restrictions are risky — they introduce both stability and security
problems. At the same time, properly implemented in-tree LSMs are not
inherently dangerous and remain the safer, supported path for
extending security functionality. Without safe, supported interfaces,
however, commercial products struggle to be competitive. At the
moment, macOS with its Endpoint Security Framework is significantly
ahead.

Yes, the kernel includes multiple in-tree LSM modules, but in practice
SELinux does not simplify operations — it often complicates them,
despite its long-standing presence. Many of the other LSMs are rarely
used in production. As an EDR developer, I seldom encounter them, and
when I do, they usually provide little practical value. Across
numerous real-world server intrusions, none of these LSM modules have
meaningfully prevented attacks, despite many years of kernel
development.

Perhaps it is time for Linux to focus on more than a theoretical model
of security.

P.S.
Everything above reflects only my personal opinion. I would greatly
appreciate your response and any criticism you may have.

Best regards,
Timur Chernykh

More information about the Linux-security-module-archive mailing list