On Wed, 6 Apr 2016, Kees Cook wrote: > This provides the mini-LSM "loadpin" that intercepts the now consolidated > kernel_file_read LSM hook so that a system can keep all loads coming from > a single trusted filesystem. This is what Chrome OS uses to pin kernel > module and firmware loading to the read-only crypto-verified dm-verity > partition so that kernel module signing is not needed. >
This all looks good to me, just waiting now for the const fix suggested by Joe. -- James Morris <[email protected]>
