LSM: LoadPin for kernel file loading restrictions This LSM enforces that kernel-loaded files (modules, firmware, etc) must all come from the same filesystem, with the expectation that such a filesystem is backed by a read-only device such as dm-verity or CDROM. This allows systems that have a verified and/or unchangeable filesystem to enforce module and firmware loading restrictions without needing to sign the files individually. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>

commit: 9b091556a073a9f5f93e2ad23d118f45c4796a84 [log] [tgz]
author: Kees Cook <keescook@chromium.org> Wed Apr 20 15:46:28 2016 -0700
committer: James Morris <james.l.morris@oracle.com> Thu Apr 21 10:47:27 2016 +1000
tree: 075fffff80b5caad9738f633c83333dea9e04efd
parent: 1284ab5b2dcb927d38e4f3fbc2e307f3d1af9262 [diff] [blame]
diff --git a/security/Makefile b/security/Makefile
index c9bfbc84..f2d71cd 100644
--- a/security/Makefile
+++ b/security/Makefile

@@ -8,6 +8,7 @@
 subdir-$(CONFIG_SECURITY_TOMOYO)        += tomoyo
 subdir-$(CONFIG_SECURITY_APPARMOR)	+= apparmor
 subdir-$(CONFIG_SECURITY_YAMA)		+= yama
+subdir-$(CONFIG_SECURITY_LOADPIN)	+= loadpin
 
 # always enable default capabilities
 obj-y					+= commoncap.o
@@ -22,6 +23,7 @@
 obj-$(CONFIG_SECURITY_TOMOYO)		+= tomoyo/
 obj-$(CONFIG_SECURITY_APPARMOR)		+= apparmor/
 obj-$(CONFIG_SECURITY_YAMA)		+= yama/
+obj-$(CONFIG_SECURITY_LOADPIN)		+= loadpin/
 obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
 
 # Object integrity file lists
commit	9b091556a073a9f5f93e2ad23d118f45c4796a84	[log] [tgz]
author	Kees Cook <keescook@chromium.org>	Wed Apr 20 15:46:28 2016 -0700
committer	James Morris <james.l.morris@oracle.com>	Thu Apr 21 10:47:27 2016 +1000
tree	075fffff80b5caad9738f633c83333dea9e04efd
parent	1284ab5b2dcb927d38e4f3fbc2e307f3d1af9262 [diff] [blame]