security: Add a static lockdown policy LSM
While existing LSMs can be extended to handle lockdown policy, distributions generally want to be able to apply a straightforward static policy. This patch adds a simple LSM that can be configured to reject either integrity or all lockdown queries, and can be configured at runtime (through securityfs), boot time (via a kernel parameter) or build time (via a kconfig option). Based on initial code by David Howells. Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Cc: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Matthew Garrett
committed by
James Morris
James Morris
parent
9e47d31d6a
commit
000d388ed3
@@ -97,6 +97,9 @@ enum lsm_event {
|
||||
* potentially a moving target. It is easy to misuse this information
|
||||
* in a way that could break userspace. Please be careful not to do
|
||||
* so.
|
||||
*
|
||||
* If you add to this, remember to extend lockdown_reasons in
|
||||
* security/lockdown/lockdown.c.
|
||||
*/
|
||||
enum lockdown_reason {
|
||||
LOCKDOWN_NONE,
|
||||
|
||||
Reference in New Issue
Block a user