diff options
| author | Kees Cook <keescook@chromium.org> | 2016-04-20 15:46:28 -0700 |
|---|---|---|
| committer | James Morris <james.l.morris@oracle.com> | 2016-04-21 10:47:27 +1000 |
| commit | 9b091556a073a9f5f93e2ad23d118f45c4796a84 (patch) | |
| tree | 075fffff80b5caad9738f633c83333dea9e04efd /security/Makefile | |
| parent | 1284ab5b2dcb927d38e4f3fbc2e307f3d1af9262 (diff) | |
| download | linux-stable-9b091556a073a9f5f93e2ad23d118f45c4796a84.tar.gz linux-stable-9b091556a073a9f5f93e2ad23d118f45c4796a84.tar.bz2 linux-stable-9b091556a073a9f5f93e2ad23d118f45c4796a84.zip | |
LSM: LoadPin for kernel file loading restrictions
This LSM enforces that kernel-loaded files (modules, firmware, etc)
must all come from the same filesystem, with the expectation that
such a filesystem is backed by a read-only device such as dm-verity
or CDROM. This allows systems that have a verified and/or unchangeable
filesystem to enforce module and firmware loading restrictions without
needing to sign the files individually.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'security/Makefile')
| -rw-r--r-- | security/Makefile | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/security/Makefile b/security/Makefile index c9bfbc84ff50..f2d71cdb8e19 100644 --- a/security/Makefile +++ b/security/Makefile @@ -8,6 +8,7 @@ subdir-$(CONFIG_SECURITY_SMACK) += smack subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor subdir-$(CONFIG_SECURITY_YAMA) += yama +subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin # always enable default capabilities obj-y += commoncap.o @@ -22,6 +23,7 @@ obj-$(CONFIG_AUDIT) += lsm_audit.o obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ obj-$(CONFIG_SECURITY_YAMA) += yama/ +obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o # Object integrity file lists |