summaryrefslogtreecommitdiff
path: root/security/Makefile
diff options
context:
space:
mode:
authorMatthew Garrett <matthewgarrett@google.com>2019-08-19 17:17:39 -0700
committerJames Morris <jmorris@namei.org>2019-08-19 21:54:15 -0700
commit000d388ed3bbed745f366ce71b2bb7c2ee70f449 (patch)
tree8df5d266713aa79f5009a515ec5db597a61aba30 /security/Makefile
parent9e47d31d6a57b5babaca36d42b0d11b6db6019b7 (diff)
downloadlwn-000d388ed3bbed745f366ce71b2bb7c2ee70f449.tar.gz
lwn-000d388ed3bbed745f366ce71b2bb7c2ee70f449.zip
security: Add a static lockdown policy LSM
While existing LSMs can be extended to handle lockdown policy, distributions generally want to be able to apply a straightforward static policy. This patch adds a simple LSM that can be configured to reject either integrity or all lockdown queries, and can be configured at runtime (through securityfs), boot time (via a kernel parameter) or build time (via a kconfig option). Based on initial code by David Howells. Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Cc: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/Makefile')
-rw-r--r--security/Makefile2
1 files changed, 2 insertions, 0 deletions
diff --git a/security/Makefile b/security/Makefile
index c598b904938f..be1dd9d2cb2f 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -11,6 +11,7 @@ subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
subdir-$(CONFIG_SECURITY_YAMA) += yama
subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid
+subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown
# always enable default capabilities
obj-y += commoncap.o
@@ -27,6 +28,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
obj-$(CONFIG_SECURITY_YAMA) += yama/
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/
+obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
# Object integrity file lists