Re: [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation

[RFC PATCH 0/9] Introducing the Loadpol LSM · Simon THOBY <hidden> · 2025-05-21
[RFC PATCH 5/9] Loadpol LSM: add a sysctl to lock the policy · Simon THOBY <hidden> · 2025-05-21
[RFC PATCH 6/9] Loadpol LSM: emit an audit log · Simon THOBY <hidden> · 2025-05-21
[RFC PATCH 7/9] module: expose the list of blacklisted modules · Simon THOBY <hidden> · 2025-05-21
[RFC PATCH 9/9] Loadpol LSM: add a minimal documentation · Simon THOBY <hidden> · 2025-05-21
Re: [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation · Randy Dunlap <hidden> · 2025-05-21
Re: [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation · Simon Thoby <hidden> · 2025-05-21
Re: [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation · Paul Moore <paul@paul-moore.com> · 2025-05-21
Re: [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation · Simon Thoby <hidden> · 2025-05-22
Re: [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation · Paul Moore <paul@paul-moore.com> · 2025-05-29
Re: [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation · Simon Thoby <hidden> · 2025-05-30
Re: [RFC PATCH 9/9] Loadpol LSM: add a minimal documentation · Paul Moore <paul@paul-moore.com> · 2025-05-30
[RFC PATCH 8/9] Loadpol LSM: include the blacklisted kernel modules in the policy · Simon THOBY <hidden> · 2025-05-21
[RFC PATCH 1/9] LSM: Introduce a new hook: security_kernel_module_load · Simon THOBY <hidden> · 2025-05-21
Re: [RFC PATCH 1/9] LSM: Introduce a new hook: security_kernel_module_load · "Serge E. Hallyn" <serge@hallyn.com> · 2025-05-21
Re: [RFC PATCH 1/9] LSM: Introduce a new hook: security_kernel_module_load · Simon Thoby <hidden> · 2025-05-22
[RFC PATCH 2/9] Introduce a new LSM: loadpol · Simon THOBY <hidden> · 2025-05-21
[RFC PATCH 3/9] Loadpol LSM: filter kernel module request according to the policy · Simon THOBY <hidden> · 2025-05-21
Re: [RFC PATCH 3/9] Loadpol LSM: filter kernel module request according to the policy · Casey Schaufler <casey@schaufler-ca.com> · 2025-05-21
Re: [RFC PATCH 3/9] Loadpol LSM: filter kernel module request according to the policy · Randy Dunlap <hidden> · 2025-05-21
Re: [RFC PATCH 3/9] Loadpol LSM: filter kernel module request according to the policy · Simon Thoby <hidden> · 2025-05-21
[RFC PATCH 4/9] Loadpol LSM: add a file in securityfs to read/modify the policy · Simon THOBY <hidden> · 2025-05-21

From: Randy Dunlap <hidden>
Date: 2025-05-21 16:26:14
Also in: linux-doc, linux-integrity

Hi--

On 5/21/25 7:01 AM, Simon THOBY wrote:

quoted hunk ↗ jump to hunk

Introduce a minimal documentation for Loadpol, presenting the policy
format and the two user interfaces: the securityfs policy file and the
sysctl.

Signed-off-by: Simon THOBY <redacted>
---
 Documentation/admin-guide/LSM/Loadpol.rst | 81 +++++++++++++++++++++++
 Documentation/admin-guide/LSM/index.rst   |  1 +
 2 files changed, 82 insertions(+)
 create mode 100644 Documentation/admin-guide/LSM/Loadpol.rst

diff --git a/Documentation/admin-guide/LSM/Loadpol.rst b/Documentation/admin-guide/LSM/Loadpol.rst
new file mode 100644
index 000000000000..0aa24a8d393c
--- /dev/null
+++ b/Documentation/admin-guide/LSM/Loadpol.rst

@@ -0,0 +1,81 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+=======
+Loadpol
+=======
+
+Loadpol is a Linux Security Module that enforces a user-provided policy
+when decided whether a dynamic module can be loaded or not.
+
+The policy can be read and rewritten at ``/sys/kernel/security/loadpol/policy``.
+
+A default policy is created that contains the current list of blacklisted modules,

Where does the current list of blacklisted modules come from?
Is it from the kernel command line parameter "module_blacklist=" or
somewhere else?

+and a catch-all entry that allow loading any module.
+
+Policy format
+=============
+
+The policy is defined as a set of line-separated entries.
+Each entry define the conditions for a match (the origin of the load request and
+the name of the kernel module), and the action to take when the load request
+matches the entry.
+
+
+Entry syntax: ``[origin=(userspace|kernel|kernel,userspace)] [module=<module_name>] action=(allow|deny)``
+
+There are two matching conditions:
+
+``origin``:
+    Load Requests can come from two origins:
+
+    * ``userspace`` (ie. a program in userspace called modprobe/insmod)

                       (i.e.,

+    * ``kernel`` (the kernel requested the module directly by calling
+      ``request_module(...)``, e.g. loading a filesystem when performing a
+      ``-o loop`` mount).
+
+    When unspecified, the condition defaults to ``kernel,userspace`` (which means
+    that both origins match).
+
+``module``:
+    Name of the kernel module being matched. The name can contain wilcards.

                                                                     wildcards.

+    Beware, module aliases do not work!
+


-- 
~Randy

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help