update TODO

author Lennart Poettering <lennart@poettering.net>

Wed, 30 Oct 2024 08:06:33 +0000 (09:06 +0100)

committer Lennart Poettering <lennart@poettering.net>

Wed, 30 Oct 2024 08:06:37 +0000 (09:06 +0100)
author Lennart Poettering <lennart@poettering.net>
Wed, 30 Oct 2024 08:06:33 +0000 (09:06 +0100)
committer Lennart Poettering <lennart@poettering.net>
Wed, 30 Oct 2024 08:06:37 +0000 (09:06 +0100)
diff --git a/TODO b/TODO

index 286a09de86f1a63be793db947c7ff10cc29132c1..e6ffa54005ddb9987021faec071cf2e4e741cd63 100644 (file)
--- a/TODO
+++ b/TODO
@@ -129,6 +129,17 @@ Deprecations and removals:
  
  Features:
  
+* system lsmbpf policy that prohibits creating files owned by "nobody"
+  system-wide
+
+* system lsmpbf policy that prohibits creating or opening device nodes outside
+  of devtmpfs/tmpfs, except if they are the pseudo-devices /dev/null,
+  /dev/zero, /dev/urandom and so on.
+
+* system lsmbpf policy that enforces that block device backed mounts may only
+  be established on top of dm-crypt or dm-verity devices, or an allowlist of
+  file systems (which should probably include vfat, for compat with the ESP)
+
  * $LISTEN_PID, $MAINPID and $SYSTEMD_EXECPID env vars that the service manager
    sets should be augmented with $LISTEN_PIDFDID, $MAINPIDFDID and
    $SYSTEMD_EXECPIDFD (and similar for other env vars we might send).
author	Lennart Poettering <lennart@poettering.net>
	Wed, 30 Oct 2024 08:06:33 +0000 (09:06 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Wed, 30 Oct 2024 08:06:37 +0000 (09:06 +0100)