From: Randy Dunlap <rdunlap@infradead.org>
To: Simon THOBY <git@nightmared.fr>, linux-security-module@vger.kernel.org
Cc: linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org
Subject: Re: [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation
Date: Wed, 21 May 2025 09:26:10 -0700 [thread overview]
Message-ID: <ef2d4d13-d8f3-4922-b3ce-54606d733b1b@infradead.org> (raw)
In-Reply-To: <20250521140121.591482-10-git@nightmared.fr>
Hi--
On 5/21/25 7:01 AM, Simon THOBY wrote:
> Introduce a minimal documentation for Loadpol, presenting the policy
> format and the two user interfaces: the securityfs policy file and the
> sysctl.
>
> Signed-off-by: Simon THOBY <git@nightmared.fr>
> ---
> Documentation/admin-guide/LSM/Loadpol.rst | 81 +++++++++++++++++++++++
> Documentation/admin-guide/LSM/index.rst | 1 +
> 2 files changed, 82 insertions(+)
> create mode 100644 Documentation/admin-guide/LSM/Loadpol.rst
>
> diff --git a/Documentation/admin-guide/LSM/Loadpol.rst b/Documentation/admin-guide/LSM/Loadpol.rst
> new file mode 100644
> index 000000000000..0aa24a8d393c
> --- /dev/null
> +++ b/Documentation/admin-guide/LSM/Loadpol.rst
> @@ -0,0 +1,81 @@
> +.. SPDX-License-Identifier: GPL-2.0
> +
> +=======
> +Loadpol
> +=======
> +
> +Loadpol is a Linux Security Module that enforces a user-provided policy
> +when decided whether a dynamic module can be loaded or not.
> +
> +The policy can be read and rewritten at ``/sys/kernel/security/loadpol/policy``.
> +
> +A default policy is created that contains the current list of blacklisted modules,
Where does the current list of blacklisted modules come from?
Is it from the kernel command line parameter "module_blacklist=" or
somewhere else?
> +and a catch-all entry that allow loading any module.
> +
> +Policy format
> +=============
> +
> +The policy is defined as a set of line-separated entries.
> +Each entry define the conditions for a match (the origin of the load request and
> +the name of the kernel module), and the action to take when the load request
> +matches the entry.
> +
> +
> +Entry syntax: ``[origin=(userspace|kernel|kernel,userspace)] [module=<module_name>] action=(allow|deny)``
> +
> +There are two matching conditions:
> +
> +``origin``:
> + Load Requests can come from two origins:
> +
> + * ``userspace`` (ie. a program in userspace called modprobe/insmod)
(i.e.,
> + * ``kernel`` (the kernel requested the module directly by calling
> + ``request_module(...)``, e.g. loading a filesystem when performing a
> + ``-o loop`` mount).
> +
> + When unspecified, the condition defaults to ``kernel,userspace`` (which means
> + that both origins match).
> +
> +``module``:
> + Name of the kernel module being matched. The name can contain wilcards.
wildcards.
> + Beware, module aliases do not work!
> +
--
~Randy
next prev parent reply other threads:[~2025-05-21 16:26 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-21 14:01 [RFC PATCH 0/9] Introducing the Loadpol LSM Simon THOBY
2025-05-21 14:01 ` [RFC PATCH 1/9] LSM: Introduce a new hook: security_kernel_module_load Simon THOBY
2025-05-21 22:03 ` Serge E. Hallyn
2025-05-22 8:57 ` Simon Thoby
2025-05-21 14:01 ` [RFC PATCH 2/9] Introduce a new LSM: loadpol Simon THOBY
2025-05-21 14:01 ` [RFC PATCH 3/9] Loadpol LSM: filter kernel module request according to the policy Simon THOBY
2025-05-21 15:47 ` Casey Schaufler
2025-05-21 16:21 ` Randy Dunlap
2025-05-21 16:26 ` Simon Thoby
2025-05-21 14:01 ` [RFC PATCH 4/9] Loadpol LSM: add a file in securityfs to read/modify " Simon THOBY
2025-05-21 14:01 ` [RFC PATCH 5/9] Loadpol LSM: add a sysctl to lock " Simon THOBY
2025-05-21 14:01 ` [RFC PATCH 6/9] Loadpol LSM: emit an audit log Simon THOBY
2025-05-21 14:01 ` [RFC PATCH 7/9] module: expose the list of blacklisted modules Simon THOBY
2025-05-21 14:01 ` [RFC PATCH 8/9] Loadpol LSM: include the blacklisted kernel modules in the policy Simon THOBY
2025-05-21 14:01 ` [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation Simon THOBY
2025-05-21 16:26 ` Randy Dunlap [this message]
2025-05-21 16:29 ` Simon Thoby
2025-05-21 21:31 ` Paul Moore
2025-05-22 9:23 ` Simon Thoby
2025-05-29 23:49 ` Paul Moore
2025-05-30 7:03 ` Simon Thoby
2025-05-30 14:59 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ef2d4d13-d8f3-4922-b3ce-54606d733b1b@infradead.org \
--to=rdunlap@infradead.org \
--cc=git@nightmared.fr \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox