[PATCH v5 0/6] LSM: LoadPin for kernel file loading restrictions

From: Kees Cook
Date: Wed Apr 20 2016 - 18:47:39 EST

This provides the mini-LSM "loadpin" that intercepts the now consolidated
kernel_file_read LSM hook so that a system can keep all loads coming from
a single trusted filesystem. This is what Chrome OS uses to pin kernel
module and firmware loading to the read-only crypto-verified dm-verity
partition so that kernel module signing is not needed.


- replace enum-to-str code, mimi
- add missing "const" to char * src, joe
- changed module parameter to "loadpin.enabled"
- add sysctl docs, akpm
- add general use function for enum, zohar
- add gfp_t, joe
- clean up loops, andriy.shevchenko
- reduce BUG_ON to WARN_ON, joe
- break out utility helpers into separate functions
- have Yama use new helpers too