LSM: LoadPin: provide enablement CONFIG (b937190c) · Commits · e / devices / android_kernel_teracube_2e

security/loadpin/Kconfig

+14 −5

Original line number	Diff line number	Diff line
		@@ -3,8 +3,17 @@ config SECURITY_LOADPIN
		depends on SECURITY && BLOCK
		help
		Any files read through the kernel file reading interface
		(kernel modules, firmware, kexec images, security policy) will
		be pinned to the first filesystem used for loading. Any files
		that come from other filesystems will be rejected. This is best
		used on systems without an initrd that have a root filesystem
		backed by a read-only device such as dm-verity or a CDROM.
		(kernel modules, firmware, kexec images, security policy)
		can be pinned to the first filesystem used for loading. When
		enabled, any files that come from other filesystems will be
		rejected. This is best used on systems without an initrd that
		have a root filesystem backed by a read-only device such as
		dm-verity or a CDROM.

		config SECURITY_LOADPIN_ENABLED
		bool "Enforce LoadPin at boot"
		depends on SECURITY_LOADPIN
		help
		If selected, LoadPin will enforce pinning at boot. If not
		selected, it can be enabled at boot with the kernel parameter
		"loadpin.enabled=1".

+1 −1

Original line number	Diff line number	Diff line
		@@ -45,7 +45,7 @@ static void report_load(const char origin, struct file file, char *operation)
		kfree(pathname);
		}

		static int enabled = 1;
		static int enabled = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENABLED);
		static struct super_block *pinned_root;
		static DEFINE_SPINLOCK(pinned_root_spinlock);