mbox series

[0/4] LoadPin: Allow filesystem switch when not enforcing

Message ID 20221209195520.never.357-kees@kernel.org (mailing list archive)
Headers show
Series LoadPin: Allow filesystem switch when not enforcing | expand

Message

Kees Cook Dec. 9, 2022, 7:57 p.m. UTC 
Hi,

Right now, LoadPin isn't much use on general purpose distros since modules
tend to be loaded from multiple filesystems at boot (first initramfs,
then real rootfs). Allow the potential mount pin to move when enforcement
is not enabled.

-Kees

Kees Cook (4):
  LoadPin: Refactor read-only check into a helper
  LoadPin: Refactor sysctl initialization
  LoadPin: Move pin reporting cleanly out of locking
  LoadPin: Allow filesystem switch when not enforcing

 security/loadpin/loadpin.c | 89 ++++++++++++++++++++++----------------
 1 file changed, 52 insertions(+), 37 deletions(-)

Comments

Serge E. Hallyn Dec. 12, 2022, 9:32 p.m. UTC | #1 
On Fri, Dec 09, 2022 at 11:57:41AM -0800, Kees Cook wrote:
> Hi,
> 
> Right now, LoadPin isn't much use on general purpose distros since modules
> tend to be loaded from multiple filesystems at boot (first initramfs,
> then real rootfs). Allow the potential mount pin to move when enforcement
> is not enabled.
> 
> -Kees

Reviewed-by: Serge Hallyn <serge@hallyn.com>

to the set, thanks.

> 
> Kees Cook (4):
>   LoadPin: Refactor read-only check into a helper
>   LoadPin: Refactor sysctl initialization
>   LoadPin: Move pin reporting cleanly out of locking
>   LoadPin: Allow filesystem switch when not enforcing
> 
>  security/loadpin/loadpin.c | 89 ++++++++++++++++++++++----------------
>  1 file changed, 52 insertions(+), 37 deletions(-)
> 
> -- 
> 2.34.1