doc: ReSTify LoadPin.txt

Adjusts for ReST markup and moves under LSM admin guide.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>

diff --git a/Documentation/admin-guide/LSM/LoadPin.rst b/Documentation/admin-guide/LSM/LoadPin.rst
new file mode 100644 (file)
index 0000000..3207076
--- /dev/null
+++ b/Documentation/admin-guide/LSM/LoadPin.rst
@@ -0,0 +1,21 @@
+=======
+LoadPin
+=======
+
+LoadPin is a Linux Security Module that ensures all kernel-loaded files
+(modules, firmware, etc) all originate from the same filesystem, with
+the expectation that such a filesystem is backed by a read-only device
+such as dm-verity or CDROM. This allows systems that have a verified
+and/or unchangeable filesystem to enforce module and firmware loading
+restrictions without needing to sign the files individually.
+
+The LSM is selectable at build-time with ``CONFIG_SECURITY_LOADPIN``, and
+can be controlled at boot-time with the kernel command line option
+"``loadpin.enabled``". By default, it is enabled, but can be disabled at
+boot ("``loadpin.enabled=0``").
+
+LoadPin starts pinning when it sees the first file loaded. If the
+block device backing the filesystem is not read-only, a sysctl is
+created to toggle pinning: ``/proc/sys/kernel/loadpin/enabled``. (Having
+a mutable filesystem means pinning is mutable too, but having the
+sysctl allows for easy testing on systems with a mutable filesystem.)

diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst
index e5ba2c69b8efbfd22712e7d17e68005160aa945d..41f5262359f99bef72ba4ae4c66608db0678f41b 100644 (file)
--- a/Documentation/admin-guide/LSM/index.rst
+++ b/Documentation/admin-guide/LSM/index.rst
@@ -34,6 +34,7 @@ the one "major" module (e.g. SELinux) if there is one configured.
    :maxdepth: 1
 
    apparmor
+   LoadPin
    SELinux
    tomoyo
    Yama

diff --git a/Documentation/security/LoadPin.txt b/Documentation/security/LoadPin.txt
deleted file mode 100644 (file)
index e11877f..0000000
--- a/Documentation/security/LoadPin.txt
+++ /dev/null
@@ -1,17 +0,0 @@
-LoadPin is a Linux Security Module that ensures all kernel-loaded files
-(modules, firmware, etc) all originate from the same filesystem, with
-the expectation that such a filesystem is backed by a read-only device
-such as dm-verity or CDROM. This allows systems that have a verified
-and/or unchangeable filesystem to enforce module and firmware loading
-restrictions without needing to sign the files individually.
-
-The LSM is selectable at build-time with CONFIG_SECURITY_LOADPIN, and
-can be controlled at boot-time with the kernel command line option
-"loadpin.enabled". By default, it is enabled, but can be disabled at
-boot ("loadpin.enabled=0").
-
-LoadPin starts pinning when it sees the first file loaded. If the
-block device backing the filesystem is not read-only, a sysctl is
-created to toggle pinning: /proc/sys/kernel/loadpin/enabled. (Having
-a mutable filesystem means pinning is mutable too, but having the
-sysctl allows for easy testing on systems with a mutable filesystem.)

diff --git a/MAINTAINERS b/MAINTAINERS
index 816947653ea2a7a9b0e9987a8811082d5c702636..38a3d95d2d63fdc564ee1c62476ff7e4de556545 100644 (file)
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -11567,6 +11567,7 @@ M:      Kees Cook <keescook@chromium.org>
 T:     git git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git lsm/loadpin
 S:     Supported
 F:     security/loadpin/
+F:     Documentation/admin-guide/LSM/LoadPin.rst
 
 YAMA SECURITY MODULE
 M:     Kees Cook <keescook@chromium.org>