LSM: LoadPin for kernel file loading restrictions
This LSM enforces that kernel-loaded files (modules, firmware, etc) must all come from the same filesystem, with the expectation that such a filesystem is backed by a read-only device such as dm-verity or CDROM. This allows systems that have a verified and/or unchangeable filesystem to enforce module and firmware loading restrictions without needing to sign the files individually. Signed-off-by:Kees Cook <keescook@chromium.org> Acked-by:
Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by:
James Morris <james.l.morris@oracle.com>
Showing
- Documentation/security/LoadPin.txt 17 additions, 0 deletionsDocumentation/security/LoadPin.txt
- MAINTAINERS 6 additions, 0 deletionsMAINTAINERS
- include/linux/lsm_hooks.h 5 additions, 0 deletionsinclude/linux/lsm_hooks.h
- security/Kconfig 1 addition, 0 deletionssecurity/Kconfig
- security/Makefile 2 additions, 0 deletionssecurity/Makefile
- security/loadpin/Kconfig 10 additions, 0 deletionssecurity/loadpin/Kconfig
- security/loadpin/Makefile 1 addition, 0 deletionssecurity/loadpin/Makefile
- security/loadpin/loadpin.c 190 additions, 0 deletionssecurity/loadpin/loadpin.c
- security/security.c 1 addition, 0 deletionssecurity/security.c
Please register or sign in to comment