diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2019-07-11 14:42:44 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2019-07-11 14:42:44 -0700 |
commit | c079512aad9718c12c6bb1b661880b15a73dfd69 (patch) | |
tree | b8cb70b4d40102bb806287fe7592b713e032a16c /Documentation | |
parent | 6b44fccdb8cdcc7c1df522529307566aa89a4ab1 (diff) | |
parent | 0ff9848067b7b950a4ed70de7f5028600a2157e3 (diff) | |
download | linux-c079512aad9718c12c6bb1b661880b15a73dfd69.tar.bz2 |
Merge tag 'loadpin-v5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull security/loadpin updates from Kees Cook:
- Allow exclusion of specific file types (Ke Wu)
* tag 'loadpin-v5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
security/loadpin: Allow to exclude specific file types
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/admin-guide/LSM/LoadPin.rst | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/Documentation/admin-guide/LSM/LoadPin.rst b/Documentation/admin-guide/LSM/LoadPin.rst index 32070762d24c..716ad9b23c9a 100644 --- a/Documentation/admin-guide/LSM/LoadPin.rst +++ b/Documentation/admin-guide/LSM/LoadPin.rst @@ -19,3 +19,13 @@ block device backing the filesystem is not read-only, a sysctl is created to toggle pinning: ``/proc/sys/kernel/loadpin/enabled``. (Having a mutable filesystem means pinning is mutable too, but having the sysctl allows for easy testing on systems with a mutable filesystem.) + +It's also possible to exclude specific file types from LoadPin using kernel +command line option "``loadpin.exclude``". By default, all files are +included, but they can be excluded using kernel command line option such +as "``loadpin.exclude=kernel-module,kexec-image``". This allows to use +different mechanisms such as ``CONFIG_MODULE_SIG`` and +``CONFIG_KEXEC_VERIFY_SIG`` to verify kernel module and kernel image while +still use LoadPin to protect the integrity of other files kernel loads. The +full list of valid file types can be found in ``kernel_read_file_str`` +defined in ``include/linux/fs.h``. |