Date: Thu, 21 Apr 2016 10:20:43 +1000 (AEST)
From: James Morris <jmorris@namei.org>
To: Kees Cook <keescook@chromium.org>
cc: Mimi Zohar <zohar@linux.vnet.ibm.com>, Joe Perches <joe@perches.com>,
        Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        "Serge E. Hallyn" <serge@hallyn.com>, Jonathan Corbet <corbet@lwn.net>,
        Kalle Valo <kvalo@codeaurora.org>,
        Mauro Carvalho Chehab <mchehab@osg.samsung.com>,
        Guenter Roeck <linux@roeck-us.net>, Jiri Slaby <jslaby@suse.com>,
        Paul Moore <pmoore@redhat.com>, Stephen Smalley <sds@tycho.nsa.gov>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Andreas Gruenbacher <agruenba@redhat.com>,
        Rasmus Villemoes <linux@rasmusvillemoes.dk>,
        Ulf Hansson <ulf.hansson@linaro.org>,
        Vitaly Kuznetsov <vkuznets@redhat.com>,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-doc@vger.kernel.org
Subject: Re: [PATCH v5 0/6] LSM: LoadPin for kernel file loading
 restrictions
In-Reply-To: <1461192388-13900-1-git-send-email-keescook@chromium.org>
Message-ID: <alpine.LRH.2.20.1604211020320.13495@namei.org>
References: <1461192388-13900-1-git-send-email-keescook@chromium.org>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 526
Lines: 16

On Wed, 20 Apr 2016, Kees Cook wrote:

> This provides the mini-LSM "loadpin" that intercepts the now consolidated
> kernel_file_read LSM hook so that a system can keep all loads coming from
> a single trusted filesystem. This is what Chrome OS uses to pin kernel
> module and firmware loading to the read-only crypto-verified dm-verity
> partition so that kernel module signing is not needed.
> 

Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next


-- 
James Morris
<jmorris@namei.org>