Hi James, On Mon, Sep 23, 2013 at 06:45:35PM -0700, Kees Cook wrote: > [+rusty] > > On Mon, Sep 23, 2013 at 6:28 PM, James Morris <jmor...@namei.org> wrote: > > On Tue, 24 Sep 2013, James Morris wrote: > > > >> On Fri, 20 Sep 2013, Kees Cook wrote: > >> > >> > This LSM enforces that modules must all come from the same filesystem, > >> > with the expectation that such a filesystem is backed by a read-only > >> > device such as dm-verity or CDROM. This allows systems that have a > >> > verified or unchanging filesystem to enforce module loading restrictions > >> > without needing to sign the modules individually. > >> > > >> > Signed-off-by: Kees Cook <keesc...@chromium.org> > >> > >> Are you using this for ChromeOS? > > Yes. Chrome OS uses a read-only root filesystem that is backed by > dm-verity. This lets us pin all module loading to that filesystem > without needing per-module signatures. > > > Also, you should CC Rusty on this. > > Done! :)
Any update on this? It'd be nice to have it in linux-next. Thanks, -Kees -- Kees Cook @outflux.net -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
