[PATCH v2 0/5] LSM: LoadPin for kernel file loading restrictions

From: Kees Cook
Date: Mon Mar 28 2016 - 17:14:37 EST

Next message: Shuah Khan: "Re: [RFC PATCH 2/4] media: Add Media Device Allocator API documentation"
Previous message: Rob Herring: "Re: [PATCH V2] ARM: dts: AM572x-IDK Initial Support"
Next in thread: Kees Cook: "[PATCH v2 1/5] string_helpers: add kstrdup_quotable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This provides the mini-LSM "loadpin" that intercepts the now consolidated
kernel_file_read LSM hook so that a system can keep all loads coming from
a single trusted filesystem. This is what Chrome OS uses to pin kernel
module and firmware loading to the read-only crypto-verified dm-verity
partition so that kernel module signing is not needed.

-Kees

v2:
- break out utility helpers into separate functions
- have Yama use new helpers too

Next message: Shuah Khan: "Re: [RFC PATCH 2/4] media: Add Media Device Allocator API documentation"
Previous message: Rob Herring: "Re: [PATCH V2] ARM: dts: AM572x-IDK Initial Support"
Next in thread: Kees Cook: "[PATCH v2 1/5] string_helpers: add kstrdup_quotable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]