Skip to content

L
linux
Commit 30da4f77 authored by Kees Cook's avatar Kees Cook Committed by Jonathan Corbet
Browse files
Options

doc: ReSTify LoadPin.txt 

Adjusts for ReST markup and moves under LSM admin guide.
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarJonathan Corbet <corbet@lwn.net>
parent 90bb7664
Hide whitespace changes
Inline Side-by-side
Showing with 10 additions and 4 deletions
Documentation/security/LoadPin.txt Documentation/admin-guide/LSM/LoadPin.rst
View file @ 30da4f77
=======
LoadPin
=======
LoadPin is a Linux Security Module that ensures all kernel-loaded files LoadPin is a Linux Security Module that ensures all kernel-loaded files
(modules, firmware, etc) all originate from the same filesystem, with (modules, firmware, etc) all originate from the same filesystem, with
the expectation that such a filesystem is backed by a read-only device the expectation that such a filesystem is backed by a read-only device
...@@ -5,13 +9,13 @@ such as dm-verity or CDROM. This allows systems that have a verified ...@@ -5,13 +9,13 @@ such as dm-verity or CDROM. This allows systems that have a verified
and/or unchangeable filesystem to enforce module and firmware loading and/or unchangeable filesystem to enforce module and firmware loading
restrictions without needing to sign the files individually. restrictions without needing to sign the files individually.
The LSM is selectable at build-time with CONFIG_SECURITY_LOADPIN, and The LSM is selectable at build-time with ``CONFIG_SECURITY_LOADPIN``, and
can be controlled at boot-time with the kernel command line option can be controlled at boot-time with the kernel command line option
"loadpin.enabled". By default, it is enabled, but can be disabled at "``loadpin.enabled``". By default, it is enabled, but can be disabled at
boot ("loadpin.enabled=0"). boot ("``loadpin.enabled=0``").
LoadPin starts pinning when it sees the first file loaded. If the LoadPin starts pinning when it sees the first file loaded. If the
block device backing the filesystem is not read-only, a sysctl is block device backing the filesystem is not read-only, a sysctl is
created to toggle pinning: /proc/sys/kernel/loadpin/enabled. (Having created to toggle pinning: ``/proc/sys/kernel/loadpin/enabled``. (Having
a mutable filesystem means pinning is mutable too, but having the a mutable filesystem means pinning is mutable too, but having the
sysctl allows for easy testing on systems with a mutable filesystem.) sysctl allows for easy testing on systems with a mutable filesystem.)
Documentation/admin-guide/LSM/index.rst
View file @ 30da4f77
...@@ -34,6 +34,7 @@ the one "major" module (e.g. SELinux) if there is one configured. ...@@ -34,6 +34,7 @@ the one "major" module (e.g. SELinux) if there is one configured.
:maxdepth: 1 :maxdepth: 1
apparmor apparmor
LoadPin
SELinux SELinux
tomoyo tomoyo
Yama Yama
MAINTAINERS
View file @ 30da4f77
...@@ -11567,6 +11567,7 @@ M: Kees Cook <keescook@chromium.org> ...@@ -11567,6 +11567,7 @@ M: Kees Cook <keescook@chromium.org>
T: git git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git lsm/loadpin T: git git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git lsm/loadpin
S: Supported S: Supported
F: security/loadpin/ F: security/loadpin/
F: Documentation/admin-guide/LSM/LoadPin.rst
YAMA SECURITY MODULE YAMA SECURITY MODULE
M: Kees Cook <keescook@chromium.org> M: Kees Cook <keescook@chromium.org>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7