[PATCH v2 0/5] LSM: LoadPin for kernel file loading restrictions
From: Kees Cook
Date: Mon Mar 28 2016 - 17:14:37 EST
This provides the mini-LSM "loadpin" that intercepts the now consolidated
kernel_file_read LSM hook so that a system can keep all loads coming from
a single trusted filesystem. This is what Chrome OS uses to pin kernel
module and firmware loading to the read-only crypto-verified dm-verity
partition so that kernel module signing is not needed.
-Kees
v2:
- break out utility helpers into separate functions
- have Yama use new helpers too