diff options
| author | Matthew Garrett <matthewgarrett@google.com> | 2019-08-19 20:17:38 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2019-08-20 00:54:15 -0400 |
| commit | 9e47d31d6a57b5babaca36d42b0d11b6db6019b7 (patch) | |
| tree | fcc41c716dbdeb3f8237903284e54ea524d2f463 /security/security.c | |
| parent | e6b1db98cf4d54d9ea59cfcc195f70dc946fdd38 (diff) | |
security: Add a "locked down" LSM hook
Add a mechanism to allow LSMs to make a policy decision around whether
kernel functionality that would allow tampering with or examining the
runtime state of the kernel should be permitted.
Signed-off-by: Matthew Garrett <mjg59@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/security.c')
| -rw-r--r-- | security/security.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/security/security.c b/security/security.c index ef4a0111c8b4..7fc373486d7a 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -2389,3 +2389,9 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux) | |||
| 2389 | call_void_hook(bpf_prog_free_security, aux); | 2389 | call_void_hook(bpf_prog_free_security, aux); |
| 2390 | } | 2390 | } |
| 2391 | #endif /* CONFIG_BPF_SYSCALL */ | 2391 | #endif /* CONFIG_BPF_SYSCALL */ |
| 2392 | |||
| 2393 | int security_locked_down(enum lockdown_reason what) | ||
| 2394 | { | ||
| 2395 | return call_int_hook(locked_down, 0, what); | ||
| 2396 | } | ||
| 2397 | EXPORT_SYMBOL(security_locked_down); | ||