Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9b091556 authored Apr 20, 2016 by Kees Cook Committed by James Morris Apr 21, 2016

LSM: LoadPin for kernel file loading restrictions



This LSM enforces that kernel-loaded files (modules, firmware, etc)
must all come from the same filesystem, with the expectation that
such a filesystem is backed by a read-only device such as dm-verity
or CDROM. This allows systems that have a verified and/or unchangeable
filesystem to enforce module and firmware loading restrictions without
needing to sign the files individually.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>

parent 1284ab5b

Documentation/security/LoadPin.txt

0 → 100644

+17 −0

Original line number	Diff line number	Diff line
		LoadPin is a Linux Security Module that ensures all kernel-loaded files
		(modules, firmware, etc) all originate from the same filesystem, with
		the expectation that such a filesystem is backed by a read-only device
		such as dm-verity or CDROM. This allows systems that have a verified
		and/or unchangeable filesystem to enforce module and firmware loading
		restrictions without needing to sign the files individually.

		The LSM is selectable at build-time with CONFIG_SECURITY_LOADPIN, and
		can be controlled at boot-time with the kernel command line option
		"loadpin.enabled". By default, it is enabled, but can be disabled at
		boot ("loadpin.enabled=0").

		LoadPin starts pinning when it sees the first file loaded. If the
		block device backing the filesystem is not read-only, a sysctl is
		created to toggle pinning: /proc/sys/kernel/loadpin/enabled. (Having
		a mutable filesystem means pinning is mutable too, but having the
		sysctl allows for easy testing on systems with a mutable filesystem.)

MAINTAINERS

+6 −0

Original line number	Diff line number	Diff line
		@@ -9962,6 +9962,12 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git
		S: Supported
		F: security/apparmor/

		LOADPIN SECURITY MODULE
		M: Kees Cook <keescook@chromium.org>
		T: git git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git lsm/loadpin
		S: Supported
		F: security/loadpin/

		YAMA SECURITY MODULE
		M: Kees Cook <keescook@chromium.org>
		T: git git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git yama/tip

include/linux/lsm_hooks.h

+5 −0

Original line number	Diff line number	Diff line
		@@ -1892,5 +1892,10 @@ extern void __init yama_add_hooks(void);
		#else
		static inline void __init yama_add_hooks(void) { }
		#endif
		#ifdef CONFIG_SECURITY_LOADPIN
		void __init loadpin_add_hooks(void);
		#else
		static inline void loadpin_add_hooks(void) { };
		#endif

		#endif /* ! __LINUX_LSM_HOOKS_H */

security/Kconfig

+1 −0

Original line number	Diff line number	Diff line
		@@ -122,6 +122,7 @@ source security/selinux/Kconfig
		source security/smack/Kconfig
		source security/tomoyo/Kconfig
		source security/apparmor/Kconfig
		source security/loadpin/Kconfig
		source security/yama/Kconfig

		source security/integrity/Kconfig

security/Makefile

+2 −0

Original line number	Diff line number	Diff line
		@@ -8,6 +8,7 @@ subdir-$(CONFIG_SECURITY_SMACK) += smack
		subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
		subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
		subdir-$(CONFIG_SECURITY_YAMA) += yama
		subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin

		# always enable default capabilities
		obj-y += commoncap.o
		@@ -22,6 +23,7 @@ obj-$(CONFIG_AUDIT) += lsm_audit.o
		obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/
		obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
		obj-$(CONFIG_SECURITY_YAMA) += yama/
		obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
		obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o

		# Object integrity file lists