On Fri, May 30, 2025 at 3:03 AM Simon Thoby <git@xxxxxxxxxxxxx> wrote: > On 5/30/25 01:49, Paul Moore wrote: > > > > My thinking around possible augmentation of LoadPin is that both > > LoadPin and Loadpol share a similar, limited focus of controlling > > access to kernel module loading and Loadpol has support for a basic > > loadable policy, a policy that could likely be extended to support a > > LoadPin-esque construct that limit module loading based on filesystem > > pinning. It probably makes more sense to think of adding LoadPin > > support to Loadpol, rather than augmenting LoadPin to support the > > Loadpol concepts, but for consistency with upstream we probably need > > to speak in terms of the latter. > > Thanks for the reply, I now see what you meant. I will try to put something > together (hopefully next week), starting with looking at how we can express > the current LoadPin feature set as a loadable and user-extensible policy, and > then add non-filesystem-related policy entries (like module name restrictions) > to that policy. You may want to see what Kees thinks of the idea before you spend too much time on this as he is the LoadPin maintainer. I'm guessing he would be okay with the additions, but that is just a guess on my part. -- paul-moore.com
