LSM: LoadPin: provide enablement CONFIG

Instead of being enabled by default when SECURITY_LOADPIN is selected,
provide an additional (default off) config to determine the boot time
behavior. As before, the "loadpin.enabled=0/1" kernel parameter remains
available.

Suggested-by: James Morris <jmorris@namei.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>

diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig
index c668ac4..dd01aa9 100644 (file)
--- a/security/loadpin/Kconfig
+++ b/security/loadpin/Kconfig
@@ -3,8 +3,17 @@ config SECURITY_LOADPIN
        depends on SECURITY && BLOCK
        help
          Any files read through the kernel file reading interface
-         (kernel modules, firmware, kexec images, security policy) will
-         be pinned to the first filesystem used for loading. Any files
-         that come from other filesystems will be rejected. This is best
-         used on systems without an initrd that have a root filesystem
-         backed by a read-only device such as dm-verity or a CDROM.
+         (kernel modules, firmware, kexec images, security policy)
+         can be pinned to the first filesystem used for loading. When
+         enabled, any files that come from other filesystems will be
+         rejected. This is best used on systems without an initrd that
+         have a root filesystem backed by a read-only device such as
+         dm-verity or a CDROM.
+
+config SECURITY_LOADPIN_ENABLED
+       bool "Enforce LoadPin at boot"
+       depends on SECURITY_LOADPIN
+       help
+         If selected, LoadPin will enforce pinning at boot. If not
+         selected, it can be enabled at boot with the kernel parameter
+         "loadpin.enabled=1".

diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
index e4debae..89a46f1 100644 (file)
--- a/security/loadpin/loadpin.c
+++ b/security/loadpin/loadpin.c
@@ -45,7 +45,7 @@ static void report_load(const char *origin, struct file *file, char *operation)
        kfree(pathname);
 }
 
-static int enabled = 1;
+static int enabled = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENABLED);
 static struct super_block *pinned_root;
 static DEFINE_SPINLOCK(pinned_root_spinlock);