Re: [PATCH v3 0/6] LSM: LoadPin for kernel file loading restrictions

From: Kees Cook
Date: Tue Apr 12 2016 - 12:57:53 EST

Next message: Will Deacon: "Re: [RFC][PATCH 3/3] locking,arm64: Introduce cmpwait()"
Previous message: Kees Cook: "[PATCH v4 4/6] Yama: consolidate error reporting"
In reply to: James Morris: "Re: [PATCH v3 0/6] LSM: LoadPin for kernel file loading restrictions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 12, 2016 at 2:59 AM, James Morris <jmorris@xxxxxxxxx> wrote:
> On Wed, 6 Apr 2016, Kees Cook wrote:
>
>> This provides the mini-LSM "loadpin" that intercepts the now consolidated
>> kernel_file_read LSM hook so that a system can keep all loads coming from
>> a single trusted filesystem. This is what Chrome OS uses to pin kernel
>> module and firmware loading to the read-only crypto-verified dm-verity
>> partition so that kernel module signing is not needed.
>>
>
> This all looks good to me, just waiting now for the const fix suggested by
> Joe.

Okay, great, thanks! I've sent a v4 with the const change now.

-Kees

--
Kees Cook
Chrome OS & Brillo Security

Next message: Will Deacon: "Re: [RFC][PATCH 3/3] locking,arm64: Introduce cmpwait()"
Previous message: Kees Cook: "[PATCH v4 4/6] Yama: consolidate error reporting"
In reply to: James Morris: "Re: [PATCH v3 0/6] LSM: LoadPin for kernel file loading restrictions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]