diff options
author | Kees Cook <keescook@chromium.org> | 2016-04-20 15:46:28 -0700 |
---|---|---|
committer | James Morris <james.l.morris@oracle.com> | 2016-04-21 10:47:27 +1000 |
commit | 9b091556a073a9f5f93e2ad23d118f45c4796a84 (patch) | |
tree | 075fffff80b5caad9738f633c83333dea9e04efd /Documentation/security | |
parent | 1284ab5b2dcb927d38e4f3fbc2e307f3d1af9262 (diff) | |
download | linux-stable-9b091556a073a9f5f93e2ad23d118f45c4796a84.tar.gz linux-stable-9b091556a073a9f5f93e2ad23d118f45c4796a84.tar.bz2 linux-stable-9b091556a073a9f5f93e2ad23d118f45c4796a84.zip |
LSM: LoadPin for kernel file loading restrictions
This LSM enforces that kernel-loaded files (modules, firmware, etc)
must all come from the same filesystem, with the expectation that
such a filesystem is backed by a read-only device such as dm-verity
or CDROM. This allows systems that have a verified and/or unchangeable
filesystem to enforce module and firmware loading restrictions without
needing to sign the files individually.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'Documentation/security')
-rw-r--r-- | Documentation/security/LoadPin.txt | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/Documentation/security/LoadPin.txt b/Documentation/security/LoadPin.txt new file mode 100644 index 000000000000..e11877f5d3d4 --- /dev/null +++ b/Documentation/security/LoadPin.txt @@ -0,0 +1,17 @@ +LoadPin is a Linux Security Module that ensures all kernel-loaded files +(modules, firmware, etc) all originate from the same filesystem, with +the expectation that such a filesystem is backed by a read-only device +such as dm-verity or CDROM. This allows systems that have a verified +and/or unchangeable filesystem to enforce module and firmware loading +restrictions without needing to sign the files individually. + +The LSM is selectable at build-time with CONFIG_SECURITY_LOADPIN, and +can be controlled at boot-time with the kernel command line option +"loadpin.enabled". By default, it is enabled, but can be disabled at +boot ("loadpin.enabled=0"). + +LoadPin starts pinning when it sees the first file loaded. If the +block device backing the filesystem is not read-only, a sysctl is +created to toggle pinning: /proc/sys/kernel/loadpin/enabled. (Having +a mutable filesystem means pinning is mutable too, but having the +sysctl allows for easy testing on systems with a mutable filesystem.) |