Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751707AbcDUAWm (ORCPT ); Wed, 20 Apr 2016 20:22:42 -0400 Received: from tundra.namei.org ([65.99.196.166]:46291 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751188AbcDUAWk (ORCPT ); Wed, 20 Apr 2016 20:22:40 -0400 Date: Thu, 21 Apr 2016 10:20:43 +1000 (AEST) From: James Morris To: Kees Cook cc: Mimi Zohar , Joe Perches , Andy Shevchenko , Andrew Morton , "Serge E. Hallyn" , Jonathan Corbet , Kalle Valo , Mauro Carvalho Chehab , Guenter Roeck , Jiri Slaby , Paul Moore , Stephen Smalley , Casey Schaufler , Andreas Gruenbacher , Rasmus Villemoes , Ulf Hansson , Vitaly Kuznetsov , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org Subject: Re: [PATCH v5 0/6] LSM: LoadPin for kernel file loading restrictions In-Reply-To: <1461192388-13900-1-git-send-email-keescook@chromium.org> Message-ID: References: <1461192388-13900-1-git-send-email-keescook@chromium.org> User-Agent: Alpine 2.20 (LRH 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 526 Lines: 16 On Wed, 20 Apr 2016, Kees Cook wrote: > This provides the mini-LSM "loadpin" that intercepts the now consolidated > kernel_file_read LSM hook so that a system can keep all loads coming from > a single trusted filesystem. This is what Chrome OS uses to pin kernel > module and firmware loading to the read-only crypto-verified dm-verity > partition so that kernel module signing is not needed. > Applied to git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next -- James Morris