On Mon, Sep 17, 2018 at 4:26 PM, John Johansen <john.johan...@canonical.com> wrote: > On 09/17/2018 04:20 PM, Kees Cook wrote: >> On Mon, Sep 17, 2018 at 4:10 PM, Mickaël Salaün <m...@digikod.net> wrote: >>> Landlock, because it target unprivileged users, should only be called >>> after all other major (access-control) LSMs. The admin or distro must >>> not be able to change that order in any way. This constraint doesn't >>> apply to current LSMs, though. >> >> Good point! It will be easy to add LSM_ORDER_LAST, though, given the >> machinery introduced in this series. >> > > And when we have two LSMs that want to use that?
We'll cross that bridge when we come to it, but perhaps "last exclusive"? (lsm.enable/disable to choose) -Kees -- Kees Cook Pixel Security
