Skip to content

Commit b937190

Browse files
keesJames Morris
kees
authored and
James Morris
committed
LSM: LoadPin: provide enablement CONFIG
Instead of being enabled by default when SECURITY_LOADPIN is selected, provide an additional (default off) config to determine the boot time behavior. As before, the "loadpin.enabled=0/1" kernel parameter remains available. Suggested-by: James Morris <jmorris@namei.org> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.l.morris@oracle.com>
1 parent a6926cc commit b937190

File tree

2 files changed

+15
-6
lines changed

2 files changed

+15
-6
lines changed

security/loadpin/Kconfig

Lines changed: 14 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,17 @@ config SECURITY_LOADPIN
33
depends on SECURITY && BLOCK
44
help
55
Any files read through the kernel file reading interface
6-
(kernel modules, firmware, kexec images, security policy) will
7-
be pinned to the first filesystem used for loading. Any files
8-
that come from other filesystems will be rejected. This is best
9-
used on systems without an initrd that have a root filesystem
10-
backed by a read-only device such as dm-verity or a CDROM.
6+
(kernel modules, firmware, kexec images, security policy)
7+
can be pinned to the first filesystem used for loading. When
8+
enabled, any files that come from other filesystems will be
9+
rejected. This is best used on systems without an initrd that
10+
have a root filesystem backed by a read-only device such as
11+
dm-verity or a CDROM.
12+
13+
config SECURITY_LOADPIN_ENABLED
14+
bool "Enforce LoadPin at boot"
15+
depends on SECURITY_LOADPIN
16+
help
17+
If selected, LoadPin will enforce pinning at boot. If not
18+
selected, it can be enabled at boot with the kernel parameter
19+
"loadpin.enabled=1".

security/loadpin/loadpin.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ static void report_load(const char *origin, struct file *file, char *operation)
4545
kfree(pathname);
4646
}
4747

48-
static int enabled = 1;
48+
static int enabled = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENABLED);
4949
static struct super_block *pinned_root;
5050
static DEFINE_SPINLOCK(pinned_root_spinlock);
5151

0 commit comments

Comments
 (0)