Bernhard40

I think this may be expected as the issues with asan were the reason behind reverting the patch. This is mentioned in revert [description](https://github.com/anthraxx/linux-hardened/commit/aab425db4279aeb83b7911693f0cccbd3644c9fd) There is a [tracking issue](https://github.com/KSPP/linux/issues/108) on...

@tsautereau-anssi the problem with that is it requires all loaded modules to be signed which in most scenarios will break out-of-three ones like wireguard. Managing this on runtime is more...

https://github.com/torvalds/linux/blob/aefcf2f4b58155d27340ba5f9ddbe9513da8286d/kernel/module.c#L2864

@tsautereau-anssi so dkms modules are blocked if you set both `lockdown=confidentiality` and `lsm=lockdown`?

mprotect was supposed to be handled by S.A.R.A lsm however development of it stalled. RAP is too hard to maintain without full knowledge of it and keeping it in sync...

You didn't seen it all then, last patch is from [July 2019](https://lore.kernel.org/lkml/[email protected]/). The patches you linked above are from early 2017 though.

Back in the days linux-hardened was mostly targeted for android which uses SELinux extensively. This is not the case for generic linux platform so adding MPROTECT improvement make sense ....

> It doesn't make sense to have this project make changes overlapping with existing LSMs. As I said the most plausible is adding this feature through separate SARA lsm in...

This sounds very reasonable.

The linux-hardened kconfig selection is vastly incomplete so I wouldn't call it self-contained right now. I think dropping those few patches is accepting reality that this project is in maintenance...