Commit 9b091556 authored by Kees Cook's avatar Kees Cook Committed by James Morris
Browse files

LSM: LoadPin for kernel file loading restrictions 



This LSM enforces that kernel-loaded files (modules, firmware, etc)
must all come from the same filesystem, with the expectation that
such a filesystem is backed by a read-only device such as dm-verity
or CDROM. This allows systems that have a verified and/or unchangeable
filesystem to enforce module and firmware loading restrictions without
needing to sign the files individually.

Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
parent 1284ab5b

Documentation/security/LoadPin.txt

0 → 100644
+17 −0
Original line number Diff line number Diff line 
LoadPin is a Linux Security Module that ensures all kernel-loaded files

(modules, firmware, etc) all originate from the same filesystem, with

the expectation that such a filesystem is backed by a read-only device

such as dm-verity or CDROM. This allows systems that have a verified

and/or unchangeable filesystem to enforce module and firmware loading

restrictions without needing to sign the files individually.



The LSM is selectable at build-time with CONFIG_SECURITY_LOADPIN, and

can be controlled at boot-time with the kernel command line option

"loadpin.enabled". By default, it is enabled, but can be disabled at

boot ("loadpin.enabled=0").



LoadPin starts pinning when it sees the first file loaded. If the

block device backing the filesystem is not read-only, a sysctl is

created to toggle pinning: /proc/sys/kernel/loadpin/enabled. (Having

a mutable filesystem means pinning is mutable too, but having the

sysctl allows for easy testing on systems with a mutable filesystem.)

MAINTAINERS

+6 −0
Original line number Diff line number Diff line
@@ -9962,6 +9962,12 @@ T: git git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git 
S:	Supported

F:	security/apparmor/



LOADPIN SECURITY MODULE

M:	Kees Cook <keescook@chromium.org>

T:	git git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git lsm/loadpin

S:	Supported

F:	security/loadpin/



YAMA SECURITY MODULE

M:	Kees Cook <keescook@chromium.org>

T:	git git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git yama/tip

include/linux/lsm_hooks.h

+5 −0
Original line number Diff line number Diff line
@@ -1892,5 +1892,10 @@ extern void __init yama_add_hooks(void); 
#else

static inline void __init yama_add_hooks(void) { }

#endif

#ifdef CONFIG_SECURITY_LOADPIN

void __init loadpin_add_hooks(void);

#else

static inline void loadpin_add_hooks(void) { };

#endif



#endif /* ! __LINUX_LSM_HOOKS_H */

security/Kconfig

+1 −0
Original line number Diff line number Diff line
@@ -122,6 +122,7 @@ source security/selinux/Kconfig 
source security/smack/Kconfig

source security/tomoyo/Kconfig

source security/apparmor/Kconfig

source security/loadpin/Kconfig

source security/yama/Kconfig



source security/integrity/Kconfig

security/Makefile

+2 −0
Original line number Diff line number Diff line
@@ -8,6 +8,7 @@ subdir-$(CONFIG_SECURITY_SMACK) += smack 
subdir-$(CONFIG_SECURITY_TOMOYO)        += tomoyo

subdir-$(CONFIG_SECURITY_APPARMOR)	+= apparmor

subdir-$(CONFIG_SECURITY_YAMA)		+= yama

subdir-$(CONFIG_SECURITY_LOADPIN)	+= loadpin



# always enable default capabilities

obj-y					+= commoncap.o
@@ -22,6 +23,7 @@ obj-$(CONFIG_AUDIT) += lsm_audit.o 
obj-$(CONFIG_SECURITY_TOMOYO)		+= tomoyo/

obj-$(CONFIG_SECURITY_APPARMOR)		+= apparmor/

obj-$(CONFIG_SECURITY_YAMA)		+= yama/

obj-$(CONFIG_SECURITY_LOADPIN)		+= loadpin/

obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o



# Object integrity file lists

CRA Git | Maintained and supported by SUSTech CRA and CCSE