[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LRH.2.20.1604211020320.13495@namei.org>
Date: Thu, 21 Apr 2016 10:20:43 +1000 (AEST)
From: James Morris <jmorris@...ei.org>
To: Kees Cook <keescook@...omium.org>
cc: Mimi Zohar <zohar@...ux.vnet.ibm.com>,
Joe Perches <joe@...ches.com>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
Andrew Morton <akpm@...ux-foundation.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Jonathan Corbet <corbet@....net>,
Kalle Valo <kvalo@...eaurora.org>,
Mauro Carvalho Chehab <mchehab@....samsung.com>,
Guenter Roeck <linux@...ck-us.net>,
Jiri Slaby <jslaby@...e.com>, Paul Moore <pmoore@...hat.com>,
Stephen Smalley <sds@...ho.nsa.gov>,
Casey Schaufler <casey@...aufler-ca.com>,
Andreas Gruenbacher <agruenba@...hat.com>,
Rasmus Villemoes <linux@...musvillemoes.dk>,
Ulf Hansson <ulf.hansson@...aro.org>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-doc@...r.kernel.org
Subject: Re: [PATCH v5 0/6] LSM: LoadPin for kernel file loading
restrictions
On Wed, 20 Apr 2016, Kees Cook wrote:
> This provides the mini-LSM "loadpin" that intercepts the now consolidated
> kernel_file_read LSM hook so that a system can keep all loads coming from
> a single trusted filesystem. This is what Chrome OS uses to pin kernel
> module and firmware loading to the read-only crypto-verified dm-verity
> partition so that kernel module signing is not needed.
>
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next
--
James Morris
<jmorris@...ei.org>
Powered by blists - more mailing lists