Re: [RFC PATCH 3/9] Loadpol LSM: filter kernel module request according to the policy

[RFC PATCH 0/9] Introducing the Loadpol LSM · Simon THOBY <hidden> · 2025-05-21
[RFC PATCH 5/9] Loadpol LSM: add a sysctl to lock the policy · Simon THOBY <hidden> · 2025-05-21
[RFC PATCH 6/9] Loadpol LSM: emit an audit log · Simon THOBY <hidden> · 2025-05-21
[RFC PATCH 7/9] module: expose the list of blacklisted modules · Simon THOBY <hidden> · 2025-05-21
[RFC PATCH 9/9] Loadpol LSM: add a minimal documentation · Simon THOBY <hidden> · 2025-05-21
Re: [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation · Randy Dunlap <hidden> · 2025-05-21
Re: [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation · Simon Thoby <hidden> · 2025-05-21
Re: [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation · Paul Moore <paul@paul-moore.com> · 2025-05-21
Re: [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation · Simon Thoby <hidden> · 2025-05-22
Re: [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation · Paul Moore <paul@paul-moore.com> · 2025-05-29
Re: [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation · Simon Thoby <hidden> · 2025-05-30
Re: [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation · Paul Moore <paul@paul-moore.com> · 2025-05-30
[RFC PATCH 8/9] Loadpol LSM: include the blacklisted kernel modules in the policy · Simon THOBY <hidden> · 2025-05-21
[RFC PATCH 1/9] LSM: Introduce a new hook: security_kernel_module_load · Simon THOBY <hidden> · 2025-05-21
Re: [RFC PATCH 1/9] LSM: Introduce a new hook: security_kernel_module_load · "Serge E. Hallyn" <serge@hallyn.com> · 2025-05-21
Re: [RFC PATCH 1/9] LSM: Introduce a new hook: security_kernel_module_load · Simon Thoby <hidden> · 2025-05-22
[RFC PATCH 2/9] Introduce a new LSM: loadpol · Simon THOBY <hidden> · 2025-05-21
[RFC PATCH 3/9] Loadpol LSM: filter kernel module request according to the policy · Simon THOBY <hidden> · 2025-05-21
Re: [RFC PATCH 3/9] Loadpol LSM: filter kernel module request according to the policy · Casey Schaufler <casey@schaufler-ca.com> · 2025-05-21
Re: [RFC PATCH 3/9] Loadpol LSM: filter kernel module request according to the policy · Randy Dunlap <hidden> · 2025-05-21
Re: [RFC PATCH 3/9] Loadpol LSM: filter kernel module request according to the policy · Simon Thoby <hidden> · 2025-05-21
[RFC PATCH 4/9] Loadpol LSM: add a file in securityfs to read/modify the policy · Simon THOBY <hidden> · 2025-05-21

From: Randy Dunlap <hidden>
Date: 2025-05-21 16:21:45
Also in: linux-doc, linux-integrity


On 5/21/25 8:47 AM, Casey Schaufler wrote:

On 5/21/2025 7:01 AM, Simon THOBY wrote:

quoted

When a kernel module is loaded, the LSM accepts or rejects the demand
according to its policy.

Signed-off-by: Simon THOBY <redacted>
---
 security/loadpol/Makefile         |  2 +-
 security/loadpol/loadpol.c        | 22 ++++++++++++
 security/loadpol/loadpol.h        | 27 ++++++++++++++
 security/loadpol/loadpol_policy.c | 59 +++++++++++++++++++++++++++++++
 4 files changed, 109 insertions(+), 1 deletion(-)
 create mode 100644 security/loadpol/loadpol_policy.c

quoted

+
+struct loadpol_policy_entry {
+	struct list_head list;
+	// bitfield of policy_entry_origin

The // comment style is not used in the kernel.

Counter:

https://lore.kernel.org/lkml/CA+55aFyQYJerovMsSoSKS7PessZBr4vNp-3QUUwhqk4A4_jcbg@mail.gmail.com/ (local)


-- 
~Randy

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help