Re: [PATCH v3 0/6] LSM: LoadPin for kernel file loading restrictions
From: Kees Cook
Date: Tue Apr 12 2016 - 12:57:53 EST
On Tue, Apr 12, 2016 at 2:59 AM, James Morris <jmorris@xxxxxxxxx> wrote:
> On Wed, 6 Apr 2016, Kees Cook wrote:
>
>> This provides the mini-LSM "loadpin" that intercepts the now consolidated
>> kernel_file_read LSM hook so that a system can keep all loads coming from
>> a single trusted filesystem. This is what Chrome OS uses to pin kernel
>> module and firmware loading to the read-only crypto-verified dm-verity
>> partition so that kernel module signing is not needed.
>>
>
> This all looks good to me, just waiting now for the const fix suggested by
> Joe.
Okay, great, thanks! I've sent a v4 with the const change now.
-Kees
--
Kees Cook
Chrome OS & Brillo Security