17 Jul, 2018

1 commit

• c77b8cdf7   module: replace the existing LSM hook in init_module ... Browse Code »

  Both the init_module and finit_module syscalls call either directly
  or indirectly the security_kernel_read_file LSM hook. This patch
  replaces the direct call in init_module with a call to the new
  security_kernel_load_data hook and makes the corresponding changes
  in SELinux, LoadPin, and IMA.

  Signed-off-by: Mimi Zohar
  Cc: Jeff Vander Stoep
  Cc: Casey Schaufler
  Cc: Kees Cook
  Acked-by: Jessica Yu
  Acked-by: Paul Moore
  Acked-by: Kees Cook
  Signed-off-by: James Morris

  Mimi Zohar

  2018-07-17 03:31:57 +0800  

23 Feb, 2018

1 commit

• 304ec482f   get rid of pointless includes of fs_struct.h ... Browse Code »

  Signed-off-by: Al Viro

  Al Viro

  2018-02-23 03:28:50 +0800  

06 Mar, 2017

1 commit

• ca97d939d   security: mark LSM hooks as __ro_after_init ... Browse Code »

  Mark all of the registration hooks as __ro_after_init (via the
  __lsm_ro_after_init macro).

  Signed-off-by: James Morris
  Acked-by: Stephen Smalley
  Acked-by: Kees Cook

  James Morris

  2017-03-06 08:00:15 +0800  

19 Jan, 2017

1 commit

• d69dece5f   LSM: Add /sys/kernel/security/lsm ... Browse Code »

  I am still tired of having to find indirect ways to determine
  what security modules are active on a system. I have added
  /sys/kernel/security/lsm, which contains a comma separated
  list of the active security modules. No more groping around
  in /proc/filesystems or other clever hacks.

  Unchanged from previous versions except for being updated
  to the latest security next branch.

  Signed-off-by: Casey Schaufler
  Acked-by: John Johansen
  Acked-by: Paul Moore
  Acked-by: Kees Cook
  Signed-off-by: James Morris

  Casey Schaufler

  2017-01-19 10:18:29 +0800  

17 May, 2016

1 commit

• b937190c4   LSM: LoadPin: provide enablement CONFIG ... Browse Code »

  Instead of being enabled by default when SECURITY_LOADPIN is selected,
  provide an additional (default off) config to determine the boot time
  behavior. As before, the "loadpin.enabled=0/1" kernel parameter remains
  available.

  Suggested-by: James Morris
  Signed-off-by: Kees Cook
  Signed-off-by: James Morris

  Kees Cook

  2016-05-17 18:10:30 +0800  

21 Apr, 2016

1 commit

• 9b091556a   LSM: LoadPin for kernel file loading restrictions ... Browse Code »

  This LSM enforces that kernel-loaded files (modules, firmware, etc)
  must all come from the same filesystem, with the expectation that
  such a filesystem is backed by a read-only device such as dm-verity
  or CDROM. This allows systems that have a verified and/or unchangeable
  filesystem to enforce module and firmware loading restrictions without
  needing to sign the files individually.

  Signed-off-by: Kees Cook
  Acked-by: Serge Hallyn
  Signed-off-by: James Morris

  Kees Cook

  2016-04-21 08:47:27 +0800