9b091556a0
This LSM enforces that kernel-loaded files (modules, firmware, etc) must all come from the same filesystem, with the expectation that such a filesystem is backed by a read-only device such as dm-verity or CDROM. This allows systems that have a verified and/or unchangeable filesystem to enforce module and firmware loading restrictions without needing to sign the files individually. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
32 lines
989 B
Makefile
32 lines
989 B
Makefile
#
|
|
# Makefile for the kernel security code
|
|
#
|
|
|
|
obj-$(CONFIG_KEYS) += keys/
|
|
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
|
|
subdir-$(CONFIG_SECURITY_SMACK) += smack
|
|
subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
|
|
subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
|
|
subdir-$(CONFIG_SECURITY_YAMA) += yama
|
|
subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin
|
|
|
|
# always enable default capabilities
|
|
obj-y += commoncap.o
|
|
obj-$(CONFIG_MMU) += min_addr.o
|
|
|
|
# Object file lists
|
|
obj-$(CONFIG_SECURITY) += security.o
|
|
obj-$(CONFIG_SECURITYFS) += inode.o
|
|
obj-$(CONFIG_SECURITY_SELINUX) += selinux/
|
|
obj-$(CONFIG_SECURITY_SMACK) += smack/
|
|
obj-$(CONFIG_AUDIT) += lsm_audit.o
|
|
obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/
|
|
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/
|
|
obj-$(CONFIG_SECURITY_YAMA) += yama/
|
|
obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/
|
|
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
|
|
|
|
# Object integrity file lists
|
|
subdir-$(CONFIG_INTEGRITY) += integrity
|
|
obj-$(CONFIG_INTEGRITY) += integrity/
|