From c79d38d4127c630431017c389cce6006e671e5af Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 30 Oct 2024 09:06:33 +0100
Subject: [PATCH] update TODO

---
 TODO | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/TODO b/TODO
index 286a09de86f..e6ffa54005d 100644
--- a/TODO
+++ b/TODO
@@ -129,6 +129,17 @@ Deprecations and removals:
 
 Features:
 
+* system lsmbpf policy that prohibits creating files owned by "nobody"
+  system-wide
+
+* system lsmpbf policy that prohibits creating or opening device nodes outside
+  of devtmpfs/tmpfs, except if they are the pseudo-devices /dev/null,
+  /dev/zero, /dev/urandom and so on.
+
+* system lsmbpf policy that enforces that block device backed mounts may only
+  be established on top of dm-crypt or dm-verity devices, or an allowlist of
+  file systems (which should probably include vfat, for compat with the ESP)
+
 * $LISTEN_PID, $MAINPID and $SYSTEMD_EXECPID env vars that the service manager
   sets should be augmented with $LISTEN_PIDFDID, $MAINPIDFDID and
   $SYSTEMD_EXECPIDFD (and similar for other env vars we might send).
-- 
2.47.3