projects / linux-2.6-block.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9e47d31) | patch
security: Add a static lockdown policy LSM
authorMatthew Garrett <matthewgarrett@google.com>
Tue, 20 Aug 2019 00:17:39 +0000 (17:17 -0700)
committerJames Morris <jmorris@namei.org>
Tue, 20 Aug 2019 04:54:15 +0000 (21:54 -0700)
commit000d388ed3bbed745f366ce71b2bb7c2ee70f449
tree8df5d266713aa79f5009a515ec5db597a61aba30tree | snapshot
parent9e47d31d6a57b5babaca36d42b0d11b6db6019b7commit | diff
security: Add a static lockdown policy LSM

While existing LSMs can be extended to handle lockdown policy,
distributions generally want to be able to apply a straightforward
static policy. This patch adds a simple LSM that can be configured to
reject either integrity or all lockdown queries, and can be configured
at runtime (through securityfs), boot time (via a kernel parameter) or
build time (via a kconfig option). Based on initial code by David
Howells.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Documentation/admin-guide/kernel-parameters.txt diff | blob | blame | history
include/linux/security.h diff | blob | blame | history
security/Kconfig diff | blob | blame | history
security/Makefile diff | blob | blame | history
security/lockdown/Kconfig [new file with mode: 0644] blob
security/lockdown/Makefile [new file with mode: 0644] blob
security/lockdown/lockdown.c [new file with mode: 0644] blob
Linux 6.x block layer and io_uring tree(s)