From: Joe Perches <joe@perches.com>
To: Kees Cook <keescook@chromium.org>, James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Andrew Morton <akpm@linux-foundation.org>,
Kalle Valo <kvalo@codeaurora.org>,
Mauro Carvalho Chehab <mchehab@osg.samsung.com>,
Guenter Roeck <linux@roeck-us.net>, Jiri Slaby <jslaby@suse.com>,
Paul Moore <pmoore@redhat.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Andreas Gruenbacher <agruenba@redhat.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Ulf Hansson <ulf.hansson@linaro.org>,
Vitaly Kuznetsov <vkuznets@redhat.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 5/5] LSM: LoadPin for kernel file loading restrictions
Date: Mon, 28 Mar 2016 16:20:34 -0700 [thread overview]
Message-ID: <1459207234.25110.31.camel@perches.com> (raw)
In-Reply-To: <1459199662-16558-6-git-send-email-keescook@chromium.org>
On Mon, 2016-03-28 at 14:14 -0700, Kees Cook wrote:
> This LSM enforces that kernel-loaded files (modules, firmware, etc)
> must all come from the same filesystem, with the expectation that
> such a filesystem is backed by a read-only device such as dm-verity
> or CDROM. This allows systems that have a verified and/or unchangeable
> filesystem to enforce module and firmware loading restrictions without
> needing to sign the files individually.
trivia:
> diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
[]
> +#define pr_fmt(fmt) "LoadPin: " fmt
Using
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
would be a lot more common.
Is there some reason the logging messages should be
prefixed with "LoadPin: " instead of "loadpin: "?
next prev parent reply other threads:[~2016-03-28 23:21 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-28 21:14 [PATCH v2 0/5] LSM: LoadPin for kernel file loading restrictions Kees Cook
2016-03-28 21:14 ` [PATCH v2 1/5] string_helpers: add kstrdup_quotable Kees Cook
2016-03-28 23:30 ` Joe Perches
2016-04-06 23:50 ` Kees Cook
2016-03-28 21:14 ` [PATCH v2 2/5] string_helpers: add kstrdup_quotable_cmdline Kees Cook
2016-03-30 11:07 ` Andy Shevchenko
2016-03-30 11:11 ` Andy Shevchenko
2016-04-06 23:38 ` Kees Cook
2016-03-28 21:14 ` [PATCH v2 3/5] string_helpers: add kstrdup_quotable_file Kees Cook
2016-03-28 21:14 ` [PATCH v2 4/5] Yama: consolidate error reporting Kees Cook
2016-03-28 21:14 ` [PATCH v2 5/5] LSM: LoadPin for kernel file loading restrictions Kees Cook
2016-03-28 21:38 ` Andrew Morton
2016-03-28 21:58 ` Kees Cook
2016-03-30 20:24 ` Mimi Zohar
2016-03-28 23:20 ` Joe Perches [this message]
2016-03-31 21:24 ` Mimi Zohar
2016-04-04 19:31 ` Kees Cook
2016-04-04 23:03 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1459207234.25110.31.camel@perches.com \
--to=joe@perches.com \
--cc=agruenba@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=jslaby@suse.com \
--cc=keescook@chromium.org \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=linux@roeck-us.net \
--cc=mchehab@osg.samsung.com \
--cc=pmoore@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=serge@hallyn.com \
--cc=ulf.hansson@linaro.org \
--cc=vkuznets@redhat.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.