diff options
author | Kees Cook <keescook@chromium.org> | 2016-04-21 00:46:28 +0200 |
---|---|---|
committer | James Morris <james.l.morris@oracle.com> | 2016-04-21 02:47:27 +0200 |
commit | 9b091556a073a9f5f93e2ad23d118f45c4796a84 (patch) | |
tree | 075fffff80b5caad9738f633c83333dea9e04efd /security/security.c | |
parent | fs: define a string representation of the kernel_read_file_id enumeration (diff) | |
download | linux-9b091556a073a9f5f93e2ad23d118f45c4796a84.tar.xz linux-9b091556a073a9f5f93e2ad23d118f45c4796a84.zip |
LSM: LoadPin for kernel file loading restrictions
This LSM enforces that kernel-loaded files (modules, firmware, etc)
must all come from the same filesystem, with the expectation that
such a filesystem is backed by a read-only device such as dm-verity
or CDROM. This allows systems that have a verified and/or unchangeable
filesystem to enforce module and firmware loading restrictions without
needing to sign the files individually.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to '')
-rw-r--r-- | security/security.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c index 554c3fb7d4a5..e42860899f23 100644 --- a/security/security.c +++ b/security/security.c @@ -60,6 +60,7 @@ int __init security_init(void) */ capability_add_hooks(); yama_add_hooks(); + loadpin_add_hooks(); /* * Load all the remaining security modules. |