9b091556a0
This LSM enforces that kernel-loaded files (modules, firmware, etc) must all come from the same filesystem, with the expectation that such a filesystem is backed by a read-only device such as dm-verity or CDROM. This allows systems that have a verified and/or unchangeable filesystem to enforce module and firmware loading restrictions without needing to sign the files individually. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
11 lines
515 B
Plaintext
11 lines
515 B
Plaintext
config SECURITY_LOADPIN
|
|
bool "Pin load of kernel files (modules, fw, etc) to one filesystem"
|
|
depends on SECURITY && BLOCK
|
|
help
|
|
Any files read through the kernel file reading interface
|
|
(kernel modules, firmware, kexec images, security policy) will
|
|
be pinned to the first filesystem used for loading. Any files
|
|
that come from other filesystems will be rejected. This is best
|
|
used on systems without an initrd that have a root filesystem
|
|
backed by a read-only device such as dm-verity or a CDROM.
|