t/linux: enable LoadPin LSM The LoadPin LSM ensures that the kernel only loads files for its own use (like firmware, modules, ...) from the root file system. This helps prevent attacks which overlay directories with mount points. Change-Id: Id7f8da0e6030e2a6d19fc25840063e6af56c389c Reviewed-on: https://review.monogon.dev/c/monogon/+/835 Tested-by: Jenkins CI Reviewed-by: Leopold Schabel <leo@monogon.tech>

commit: e5053ed77b4fcfce6f88e2f8f0e98a0581b795cb [log] [tgz]
author: Lorenz Brun <lorenz@monogon.tech> Wed Jul 13 14:25:02 2022 +0000
committer: Lorenz Brun <lorenz@monogon.tech> Thu Jul 14 09:01:19 2022 +0000
tree: 70b259c9a023b389267064690131597ab2386ecd
parent: ea0a2c862d41544cf58807b17daf6b3b4dfa12bc [diff]
diff --git a/third_party/linux/linux-metropolis.config b/third_party/linux/linux-metropolis.config
index 41defc2..bfcf771 100644
--- a/third_party/linux/linux-metropolis.config
+++ b/third_party/linux/linux-metropolis.config

@@ -3497,7 +3497,8 @@
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
-# CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOADPIN=y
+CONFIG_SECURITY_LOADPIN_ENFORCE=y
 # CONFIG_SECURITY_YAMA is not set
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_LOCKDOWN_LSM=y
commit	e5053ed77b4fcfce6f88e2f8f0e98a0581b795cb	[log] [tgz]
author	Lorenz Brun <lorenz@monogon.tech>	Wed Jul 13 14:25:02 2022 +0000
committer	Lorenz Brun <lorenz@monogon.tech>	Thu Jul 14 09:01:19 2022 +0000
tree	70b259c9a023b389267064690131597ab2386ecd
parent	ea0a2c862d41544cf58807b17daf6b3b4dfa12bc [diff]