Re: [PATCH v2 5/5] LSM: LoadPin for kernel file loading restrictions

From: Mimi Zohar
Date: Wed Mar 30 2016 - 16:24:27 EST

Next message: Jaegeuk Kim: "[PATCH 1/2] f2fs: use PGP_LOCK to check its truncation"
Previous message: Boris Brezillon: "[PATCH v5 03/46] backlight: lm3630a_bl: stop messing with the pwm->period field"
In reply to: Kees Cook: "Re: [PATCH v2 5/5] LSM: LoadPin for kernel file loading restrictions"
Next in thread: Joe Perches: "Re: [PATCH v2 5/5] LSM: LoadPin for kernel file loading restrictions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2016-03-28 at 14:38 -0700, Andrew Morton wrote:
> On Mon, 28 Mar 2016 14:14:22 -0700 Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
> > This LSM enforces that kernel-loaded files (modules, firmware, etc)
> > must all come from the same filesystem, with the expectation that
> > such a filesystem is backed by a read-only device such as dm-verity
> > or CDROM. This allows systems that have a verified and/or unchangeable
> > filesystem to enforce module and firmware loading restrictions without
> > needing to sign the files individually.
>
> Patchset generally looks good to me. It's regrettable that a load of
> stuff was added to lib/ for one obscure LSM but hopefully (doubtfully)
> someone else will find a use for some of it.

I'm planning on adding support for measuring buffers, like the boot
command line, which will need to be string safe.

Mimi

Next message: Jaegeuk Kim: "[PATCH 1/2] f2fs: use PGP_LOCK to check its truncation"
Previous message: Boris Brezillon: "[PATCH v5 03/46] backlight: lm3630a_bl: stop messing with the pwm->period field"
In reply to: Kees Cook: "Re: [PATCH v2 5/5] LSM: LoadPin for kernel file loading restrictions"
Next in thread: Joe Perches: "Re: [PATCH v2 5/5] LSM: LoadPin for kernel file loading restrictions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]