projects / cascardo / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1284ab5) | patch
LSM: LoadPin for kernel file loading restrictions
authorKees Cook <keescook@chromium.org>
Wed, 20 Apr 2016 22:46:28 +0000 (15:46 -0700)
committerJames Morris <james.l.morris@oracle.com>
Thu, 21 Apr 2016 00:47:27 +0000 (10:47 +1000)
commit9b091556a073a9f5f93e2ad23d118f45c4796a84
tree075fffff80b5caad9738f633c83333dea9e04efdtree | snapshot
parent1284ab5b2dcb927d38e4f3fbc2e307f3d1af9262commit | diff
LSM: LoadPin for kernel file loading restrictions

This LSM enforces that kernel-loaded files (modules, firmware, etc)
must all come from the same filesystem, with the expectation that
such a filesystem is backed by a read-only device such as dm-verity
or CDROM. This allows systems that have a verified and/or unchangeable
filesystem to enforce module and firmware loading restrictions without
needing to sign the files individually.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Documentation/security/LoadPin.txt [new file with mode: 0644] blob
MAINTAINERS diff | blob | history
include/linux/lsm_hooks.h diff | blob | history
security/Kconfig diff | blob | history
security/Makefile diff | blob | history
security/loadpin/Kconfig [new file with mode: 0644] blob
security/loadpin/Makefile [new file with mode: 0644] blob
security/loadpin/loadpin.c [new file with mode: 0644] blob
security/security.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.