security: Add a "locked down" LSM hook Add a mechanism to allow LSMs to make a policy decision around whether kernel functionality that would allow tampering with or examining the runtime state of the kernel should be permitted. Signed-off-by: Matthew Garrett <mjg59@google.com> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <jmorris@namei.org>

commit: 9e47d31d6a57b5babaca36d42b0d11b6db6019b7 [log] [tgz]
author: Matthew Garrett <matthewgarrett@google.com> Mon Aug 19 17:17:38 2019 -0700
committer: James Morris <jmorris@namei.org> Mon Aug 19 21:54:15 2019 -0700
tree: fcc41c716dbdeb3f8237903284e54ea524d2f463
parent: e6b1db98cf4d54d9ea59cfcc195f70dc946fdd38 [diff] [blame]
diff --git a/security/security.c b/security/security.c
index ef4a011..7fc3734 100644
--- a/security/security.c
+++ b/security/security.c

@@ -2389,3 +2389,9 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux)
 	call_void_hook(bpf_prog_free_security, aux);
 }
 #endif /* CONFIG_BPF_SYSCALL */
+
+int security_locked_down(enum lockdown_reason what)
+{
+	return call_int_hook(locked_down, 0, what);
+}
+EXPORT_SYMBOL(security_locked_down);
commit	9e47d31d6a57b5babaca36d42b0d11b6db6019b7	[log] [tgz]
author	Matthew Garrett <matthewgarrett@google.com>	Mon Aug 19 17:17:38 2019 -0700
committer	James Morris <jmorris@namei.org>	Mon Aug 19 21:54:15 2019 -0700
tree	fcc41c716dbdeb3f8237903284e54ea524d2f463
parent	e6b1db98cf4d54d9ea59cfcc195f70dc946fdd38 [diff] [blame]