On Mon, 2016-03-28 at 14:38 -0700, Andrew Morton wrote: > On Mon, 28 Mar 2016 14:14:22 -0700 Kees Cook <keesc...@chromium.org> wrote: > > > This LSM enforces that kernel-loaded files (modules, firmware, etc) > > must all come from the same filesystem, with the expectation that > > such a filesystem is backed by a read-only device such as dm-verity > > or CDROM. This allows systems that have a verified and/or unchangeable > > filesystem to enforce module and firmware loading restrictions without > > needing to sign the files individually. > > Patchset generally looks good to me. It's regrettable that a load of > stuff was added to lib/ for one obscure LSM but hopefully (doubtfully) > someone else will find a use for some of it.
I'm planning on adding support for measuring buffers, like the boot command line, which will need to be string safe. Mimi
