Skip to content

Commit

Permalink
LSM: LoadPin: provide enablement CONFIG
Browse files Browse the repository at this point in the history
Instead of being enabled by default when SECURITY_LOADPIN is selected,
provide an additional (default off) config to determine the boot time
behavior. As before, the "loadpin.enabled=0/1" kernel parameter remains
available.

Suggested-by: James Morris <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: James Morris <[email protected]>
  • Loading branch information
kees authored and James Morris committed May 17, 2016
1 parent a6926cc commit b937190
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 6 deletions.
19 changes: 14 additions & 5 deletions security/loadpin/Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,17 @@ config SECURITY_LOADPIN
depends on SECURITY && BLOCK
help
Any files read through the kernel file reading interface
(kernel modules, firmware, kexec images, security policy) will
be pinned to the first filesystem used for loading. Any files
that come from other filesystems will be rejected. This is best
used on systems without an initrd that have a root filesystem
backed by a read-only device such as dm-verity or a CDROM.
(kernel modules, firmware, kexec images, security policy)
can be pinned to the first filesystem used for loading. When
enabled, any files that come from other filesystems will be
rejected. This is best used on systems without an initrd that
have a root filesystem backed by a read-only device such as
dm-verity or a CDROM.

config SECURITY_LOADPIN_ENABLED
bool "Enforce LoadPin at boot"
depends on SECURITY_LOADPIN
help
If selected, LoadPin will enforce pinning at boot. If not
selected, it can be enabled at boot with the kernel parameter
"loadpin.enabled=1".
2 changes: 1 addition & 1 deletion security/loadpin/loadpin.c
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ static void report_load(const char *origin, struct file *file, char *operation)
kfree(pathname);
}

static int enabled = 1;
static int enabled = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENABLED);
static struct super_block *pinned_root;
static DEFINE_SPINLOCK(pinned_root_spinlock);

Expand Down

0 comments on commit b937190

Please sign in to comment.