Hi James, This is a quick attempt to integrate lockdown into the existing LSM framework. It adds a new lockdown security hook and an LSM that defines the existing coarse-grained policy, and also adds a new DEFINE_EARLY_LSM() definition in order to permit lockdown (and potentially other modules) to be initialised at the top of kernel init in order to allow policy to be imposed on stuff that happens in setup_arch(). The goal here is to allow policy to be devolved to other LSMs on systems that have a secure mechanism for loading LSM policy early in boot, allowing creation of arbitrarily complicated policies without interfering with the common-case coarse-grained approach.
This should probably be extended so a uapi-exposed constant is passed to the hook in order to make it easier to write policy in other LSMs, but does this broadly look like you were imagining?
