LSM: LoadPin for kernel file loading restrictions

This LSM enforces that kernel-loaded files (modules, firmware, etc) must all come from the same filesystem, with the expectation that such a filesystem is backed by a read-only device such as dm-verity or CDROM. This allows systems that have a verified and/or unchangeable filesystem to enforce module and firmware loading restrictions without needing to sign the files individually. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
author: Kees Cook <keescook@chromium.org> 2016-04-20 15:46:28 -0700
committer: James Morris <james.l.morris@oracle.com> 2016-04-21 10:47:27 +1000
commit: 9b091556a073a9f5f93e2ad23d118f45c4796a84 (patch)
tree: 075fffff80b5caad9738f633c83333dea9e04efd /security/security.c
parent: 1284ab5b2dcb927d38e4f3fbc2e307f3d1af9262 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c
index 554c3fb7d4a5..e42860899f23 100644
--- a/security/security.c
+++ b/security/security.c
@@ -60,6 +60,7 @@ int __init security_init(void)
 	 */
 	capability_add_hooks();
 	yama_add_hooks();
+	loadpin_add_hooks();
 
 	/*
 	 * Load all the remaining security modules.
author	Kees Cook <keescook@chromium.org>	2016-04-20 15:46:28 -0700
committer	James Morris <james.l.morris@oracle.com>	2016-04-21 10:47:27 +1000
commit	9b091556a073a9f5f93e2ad23d118f45c4796a84 (patch)
tree	075fffff80b5caad9738f633c83333dea9e04efd /security/security.c
parent	1284ab5b2dcb927d38e4f3fbc2e307f3d1af9262 (diff)