13523bef1e
LoadPin's "enabled" setting is really about enforcement, not whether or not the LSM is using LSM hooks. Instead, split this out so that LSM enabling can be logically distinct from whether enforcement is happening (for example, the pinning happens when the LSM is enabled, but the pin is only checked when "enforce" is set). This allows LoadPin to continue to operate sanely in test environments once LSM enable/disable is centrally handled (i.e. we want LoadPin to be enabled separately from its enforcement). Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johansen@canonical.com> |
||
|---|---|---|
| .. | ||
| apparmor | ||
| integrity | ||
| keys | ||
| loadpin | ||
| selinux | ||
| smack | ||
| tomoyo | ||
| yama | ||
| Kconfig | ||
| Makefile | ||
| commoncap.c | ||
| device_cgroup.c | ||
| inode.c | ||
| lsm_audit.c | ||
| min_addr.c | ||
| security.c | ||