diff options
author | Matthew Garrett <matthewgarrett@google.com> | 2019-08-19 17:17:38 -0700 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2019-08-19 21:54:15 -0700 |
commit | 9e47d31d6a57b5babaca36d42b0d11b6db6019b7 (patch) | |
tree | fcc41c716dbdeb3f8237903284e54ea524d2f463 /security | |
parent | e6b1db98cf4d54d9ea59cfcc195f70dc946fdd38 (diff) | |
download | lwn-9e47d31d6a57b5babaca36d42b0d11b6db6019b7.tar.gz lwn-9e47d31d6a57b5babaca36d42b0d11b6db6019b7.zip |
security: Add a "locked down" LSM hook
Add a mechanism to allow LSMs to make a policy decision around whether
kernel functionality that would allow tampering with or examining the
runtime state of the kernel should be permitted.
Signed-off-by: Matthew Garrett <mjg59@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/security.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c index ef4a0111c8b4..7fc373486d7a 100644 --- a/security/security.c +++ b/security/security.c @@ -2389,3 +2389,9 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux) call_void_hook(bpf_prog_free_security, aux); } #endif /* CONFIG_BPF_SYSCALL */ + +int security_locked_down(enum lockdown_reason what) +{ + return call_int_hook(locked_down, 0, what); +} +EXPORT_SYMBOL(security_locked_down); |