| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <60f17362-af8e-46db-9bcf-be85b84a525d@suse.com> Date: Thu, 14 Aug 2025 13:02:36 +0300 From: Nikolay Borisov <nik.borisov@...e.com> To: Nicolas Bouchinet <nicolas.bouchinet@....cyber.gouv.fr> Cc: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, paul@...l-moore.com, serge@...lyn.com, jmorris@...ei.org, dan.j.williams@...el.com, Xiujianfeng <xiujianfeng@...wei.com> Subject: Re: [PATCH v2 0/3] Allow individual features to be locked down On 8/14/25 11:59, Nicolas Bouchinet wrote: > Hi Nikolay, > > After discussing with Xiu, we have decided not to accept this patchset. > > The goal of Lockdown being to draw a clear line between ring-0 and uid-0, > having a more granular way to activate Lockdown will break it. Primarily > because most lockdown-reasons can be bypassed if used independently. > > Even if the goal of Lockdown were to be redefined, we would need to ensure the > security interdependence between different lockdown-reasons. This is highly > tied to where people calls the `security_locked_down` hook and thus is out of > our maintenance scope. > > Having coarse-grained lockdown reasons and integrity/confidentiality levels > allows us to ensure that all of the reasons are correctly locked down. > > Best regards, > > Nicolas Thanks for the feedback, to try and not have all this code go to waste, what about consdering patch 2 - kunits tests. Apart from lockdown_test_individual_level() the other tests are applicable to the existing lockdown implementation and can aid in future developments?
Powered by blists - more mailing lists