[PATCH 1/3] Wire up the lsm_manage_policy syscall
Song Liu
song at kernel.org
Wed May 7 06:26:11 UTC 2025
On Tue, May 6, 2025 at 7:40 AM Maxime Bélair
<maxime.belair at canonical.com> wrote:
>
> Add support for the new lsm_manage_policy syscall, providing a unified
> API for loading and modifying LSM policies without requiring the LSM’s
> pseudo-filesystem.
>
> Benefits:
> - Works even if the LSM pseudo-filesystem isn’t mounted or available
> (e.g. in containers)
> - Offers a logical and unified interface rather than multiple
> heterogeneous pseudo-filesystems.
These two do not feel like real benefits:
- Not working in containers is often not an issue, but a feature.
- One syscall cannot fit all use cases well...
> - Avoids overhead of other kernel interfaces for better efficiency
.. and it is is probably less efficient, because everything need to
fit in the same API.
Overall, this set doesn't feel like a good change to me.
Thanks,
Song
More information about the Linux-security-module-archive
mailing list