[PATCH V33 00/30] Lockdown as an LSM

From: Matthew Garrett
Date: Thu Jun 20 2019 - 21:19:52 EST

Next message: Matthew Garrett: "[PATCH V33 01/30] security: Support early LSMs"
Previous message: Kees Cook: "Re: [PATCH -next] slub: play init_on_free=1 well with SLAB_RED_ZONE"
Next in thread: Matthew Garrett: "[PATCH V33 01/30] security: Support early LSMs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi James,

Let's see how this one goes. I've moved the lockdown code into an LSM
hook and provided an internal enum of lockdown reasons that LSMs can
either group or expose at whatever level of granularity is appropriate.
I've also included a static LSM that mimics the behaviour of the
existing patchset. I think there's a reasonable discussion to have about
what sort of granularity other LSMs might want to offer, but I don't
think that necessarily needs to be a blocker to merging this.

As with the last implementation, this can be enabled via static kernel
configuration, the kernel command line or via securityfs, depending on
usecase. Distributions may wish to tie it to UEFI Secure Boot state, but
we can save that conversation to later.

Thoughts?

Next message: Matthew Garrett: "[PATCH V33 01/30] security: Support early LSMs"
Previous message: Kees Cook: "Re: [PATCH -next] slub: play init_on_free=1 well with SLAB_RED_ZONE"
Next in thread: Matthew Garrett: "[PATCH V33 01/30] security: Support early LSMs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]