0ff9848067
Linux kernel already provide MODULE_SIG and KEXEC_VERIFY_SIG to make sure loaded kernel module and kernel image are trusted. This patch adds a kernel command line option "loadpin.exclude" which allows to exclude specific file types from LoadPin. This is useful when people want to use different mechanisms to verify module and kernel image while still use LoadPin to protect the integrity of other files kernel loads. Signed-off-by: Ke Wu <mikewu@google.com> Reviewed-by: James Morris <jamorris@linux.microsoft.com> [kees: fix array size issue reported by Coverity via Colin Ian King] Signed-off-by: Kees Cook <keescook@chromium.org> |
||
---|---|---|
.. | ||
apparmor.rst | ||
index.rst | ||
LoadPin.rst | ||
SafeSetID.rst | ||
SELinux.rst | ||
Smack.rst | ||
tomoyo.rst | ||
Yama.rst |