diff options
| author |   Kees Cook <keescook@chromium.org> | 2016-05-17 01:45:52 -0700 |
|---|---|---|
| committer |   James Morris <james.l.morris@oracle.com> | 2016-05-17 20:10:30 +1000 |
| commit | b937190c40de0f6f07f592042e3097b16c6b0130 (patch) | |
| tree | 3c30684e605efa39d85d69b88ae4af3df7ce6d9c /security | |
| parent | Merge branch 'stable-4.7' of git://git.infradead.org/users/pcmoore/selinux into next (diff) | |
| download | linux-dev-b937190c40de0f6f07f592042e3097b16c6b0130.tar.xz linux-dev-b937190c40de0f6f07f592042e3097b16c6b0130.zip | |
LSM: LoadPin: provide enablement CONFIG
Instead of being enabled by default when SECURITY_LOADPIN is selected,
provide an additional (default off) config to determine the boot time
behavior. As before, the "loadpin.enabled=0/1" kernel parameter remains
available.
Suggested-by: James Morris <jmorris@namei.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/loadpin/Kconfig | 19 | ||||
| -rw-r--r-- | security/loadpin/loadpin.c | 2 |
2 files changed, 15 insertions, 6 deletions
diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig index c668ac4eda65..dd01aa91e521 100644 --- a/security/loadpin/Kconfig +++ b/security/loadpin/Kconfig @@ -3,8 +3,17 @@ config SECURITY_LOADPIN depends on SECURITY && BLOCK help Any files read through the kernel file reading interface - (kernel modules, firmware, kexec images, security policy) will - be pinned to the first filesystem used for loading. Any files - that come from other filesystems will be rejected. This is best - used on systems without an initrd that have a root filesystem - backed by a read-only device such as dm-verity or a CDROM. + (kernel modules, firmware, kexec images, security policy) + can be pinned to the first filesystem used for loading. When + enabled, any files that come from other filesystems will be + rejected. This is best used on systems without an initrd that + have a root filesystem backed by a read-only device such as + dm-verity or a CDROM. + +config SECURITY_LOADPIN_ENABLED + bool "Enforce LoadPin at boot" + depends on SECURITY_LOADPIN + help + If selected, LoadPin will enforce pinning at boot. If not + selected, it can be enabled at boot with the kernel parameter + "loadpin.enabled=1". diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index e4debae3c4d6..89a46f10b8a7 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -45,7 +45,7 @@ static void report_load(const char *origin, struct file *file, char *operation) kfree(pathname); } -static int enabled = 1; +static int enabled = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENABLED); static struct super_block *pinned_root; static DEFINE_SPINLOCK(pinned_root_spinlock); |