This provides the mini-LSM "loadpin" that intercepts the now consolidated kernel_file_read LSM hook so that a system can keep all loads coming from a single trusted filesystem. This is what Chrome OS uses to pin kernel module and firmware loading to the read-only crypto-verified dm-verity partition so that kernel module signing is not needed.
-Kees v2: - break out utility helpers into separate functions - have Yama use new helpers too
