LSM: LoadPin for kernel file loading restrictions
This LSM enforces that kernel-loaded files (modules, firmware, etc)
must all come from the same filesystem, with the expectation that
such a filesystem is backed by a read-only device such as dm-verity
or CDROM. This allows systems that have a verified and/or unchangeable
filesystem to enforce module and firmware loading restrictions without
needing to sign the files individually.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
diff --git a/security/security.c b/security/security.c
index 554c3fb..e428608 100644
--- a/security/security.c
+++ b/security/security.c
@@ -60,6 +60,7 @@
*/
capability_add_hooks();
yama_add_hooks();
+ loadpin_add_hooks();
/*
* Load all the remaining security modules.
