summaryrefslogtreecommitdiffstats
path: root/security/Makefile
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2016-04-21 00:46:28 +0200
committerJames Morris <james.l.morris@oracle.com>2016-04-21 02:47:27 +0200
commit9b091556a073a9f5f93e2ad23d118f45c4796a84 (patch)
tree075fffff80b5caad9738f633c83333dea9e04efd /security/Makefile
parentfs: define a string representation of the kernel_read_file_id enumeration (diff)
downloadlinux-9b091556a073a9f5f93e2ad23d118f45c4796a84.tar.xz
linux-9b091556a073a9f5f93e2ad23d118f45c4796a84.zip
LSM: LoadPin for kernel file loading restrictions
This LSM enforces that kernel-loaded files (modules, firmware, etc) must all come from the same filesystem, with the expectation that such a filesystem is backed by a read-only device such as dm-verity or CDROM. This allows systems that have a verified and/or unchangeable filesystem to enforce module and firmware loading restrictions without needing to sign the files individually. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'security/Makefile')
-rw-r--r--security/Makefile2
1 files changed, 2 insertions, 0 deletions
diff --git a/security/Makefile b/security/Makefile
index c9bfbc84ff50..f2d71cdb8e19 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -8,6 +8,7 @@ subdir-$(CONFIG_SECURITY_SMACK) += smack
subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
subdir-$(CONFIG_SECURITY_YAMA) += yama
+subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
# always enable default capabilities
obj-y += commoncap.o
@@ -22,6 +23,7 @@ obj-$(CONFIG_AUDIT) += lsm_audit.o
obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
obj-$(CONFIG_SECURITY_YAMA) += yama/
+obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
# Object integrity file lists