Re: [PATCH v2 0/3] Allow individual features to be locked down

[Nikolay Borisov]

On 8/14/25 11:59, Nicolas Bouchinet wrote:
> Hi Nikolay,
>
> After discussing with Xiu, we have decided not to accept this patchset.
>
> The goal of Lockdown being to draw a clear line between ring-0 and uid-0,
> having a more granular way to activate Lockdown will break it. Primarily
> because most lockdown-reasons can be bypassed if used independently.
>
> Even if the goal of Lockdown were to be redefined, we would need to ensure the
> security interdependence between different lockdown-reasons. This is highly
> tied to where people calls the `security_locked_down` hook and thus is out of
> our maintenance scope.
>
> Having coarse-grained lockdown reasons and integrity/confidentiality levels
> allows us to ensure that all of the reasons are correctly locked down.
>
> Best regards,
>
> Nicolas

Thanks for the feedback, to try and not have all this code go to waste, 
what about consdering patch 2 - kunits tests. Apart from 
lockdown_test_individual_level() the other tests are applicable to the 
existing lockdown implementation and can aid in future developments?