From: Kees Cook <keescook@chromium.org>
To: Ke Wu <mikewu@google.com>
Cc: James Morris <jmorris@namei.org>,
Jonathan Corbet <corbet@lwn.net>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v2] Allow to exclude specific file types in LoadPin
Date: Thu, 30 May 2019 19:23:34 -0700 [thread overview]
Message-ID: <201905301921.AE6D8D1@keescook> (raw)
In-Reply-To: <alpine.LRH.2.21.1905310611190.26428@namei.org>
On Fri, May 31, 2019 at 06:11:44AM +1000, James Morris wrote:
> On Thu, 30 May 2019, Ke Wu wrote:
>
> > Linux kernel already provide MODULE_SIG and KEXEC_VERIFY_SIG to
> > make sure loaded kernel module and kernel image are trusted. This
> > patch adds a kernel command line option "loadpin.exclude" which
> > allows to exclude specific file types from LoadPin. This is useful
> > when people want to use different mechanisms to verify module and
> > kernel image while still use LoadPin to protect the integrity of
> > other files kernel loads.
> >
> > Signed-off-by: Ke Wu <mikewu@google.com>
> > ---
> > Changelog since v1:
> > - Mark ignore_read_file_id with __ro_after_init.
> > - Mark parse_exclude() with __init.
> > - Use ARRAY_SIZE(ignore_read_file_id) instead of READING_MAX_ID.
>
> Looks good!
>
> Reviewed-by: James Morris <jamorris@linux.microsoft.com>
Thanks! Applied to my for-next/loadpin branch at
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git
and should be visible in linux-next in a few days.
--
Kees Cook
next prev parent reply other threads:[~2019-05-31 2:23 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-29 22:43 [PATCH] Allow to exclude specific file types in LoadPin Ke Wu
2019-05-29 23:07 ` Kees Cook
2019-05-30 19:22 ` [PATCH v2] " Ke Wu
2019-05-30 20:11 ` James Morris
2019-05-31 2:23 ` Kees Cook [this message]
2019-05-31 5:54 ` Ke Wu
2019-05-30 21:42 ` Kees Cook
2019-05-31 0:59 ` James Morris
2019-05-31 18:25 ` [PATCH v3] " Ke Wu
2019-05-31 21:01 ` Kees Cook
2019-06-03 18:36 ` [PATCH v4] " Ke Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201905301921.AE6D8D1@keescook \
--to=keescook@chromium.org \
--cc=corbet@lwn.net \
--cc=jmorris@namei.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mikewu@google.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.