[PATCH v3 8/9] lockdown: Make the relationship to MODULE_SIG a dependency
Paul Moore
paul at paul-moore.com
Tue Apr 29 23:30:48 UTC 2025
On Tue, Apr 29, 2025 at 9:04 AM Thomas Weißschuh <linux at weissschuh.net> wrote:
>
> The new hash-based module integrity checking will also be able to
> satisfy the requirements of lockdown.
> Such an alternative is not representable with "select", so use
> "depends on" instead.
>
> Signed-off-by: Thomas Weißschuh <linux at weissschuh.net>
> ---
> security/lockdown/Kconfig | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
I'm hopeful that we will see notice about dedicated Lockdown
maintainers soon, but in the meantime this looks okay to me.
Acked-by: Paul Moore <paul at paul-moore.com>
> diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
> index e84ddf48401010bcc0829a32db58e6f12bfdedcb..155959205b8eac2c85897a8c4c8b7ec471156706 100644
> --- a/security/lockdown/Kconfig
> +++ b/security/lockdown/Kconfig
> @@ -1,7 +1,7 @@
> config SECURITY_LOCKDOWN_LSM
> bool "Basic module for enforcing kernel lockdown"
> depends on SECURITY
> - select MODULE_SIG if MODULES
> + depends on !MODULES || MODULE_SIG
> help
> Build support for an LSM that enforces a coarse kernel lockdown
> behaviour.
>
> --
> 2.49.0
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list