summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorMatthew Garrett <matthewgarrett@google.com>2019-08-20 02:17:38 +0200
committerJames Morris <jmorris@namei.org>2019-08-20 06:54:15 +0200
commit9e47d31d6a57b5babaca36d42b0d11b6db6019b7 (patch)
treefcc41c716dbdeb3f8237903284e54ea524d2f463 /security
parentsecurity: Support early LSMs (diff)
downloadlinux-9e47d31d6a57b5babaca36d42b0d11b6db6019b7.tar.xz
linux-9e47d31d6a57b5babaca36d42b0d11b6db6019b7.zip
security: Add a "locked down" LSM hook
Add a mechanism to allow LSMs to make a policy decision around whether kernel functionality that would allow tampering with or examining the runtime state of the kernel should be permitted. Signed-off-by: Matthew Garrett <mjg59@google.com> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/security.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c
index ef4a0111c8b4..7fc373486d7a 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2389,3 +2389,9 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux)
call_void_hook(bpf_prog_free_security, aux);
}
#endif /* CONFIG_BPF_SYSCALL */
+
+int security_locked_down(enum lockdown_reason what)
+{
+ return call_int_hook(locked_down, 0, what);
+}
+EXPORT_SYMBOL(security_locked_down);