This adds the Hornet Linux Security Module which provides enhanced signature verification and data validation for eBPF programs. This allows users to continue to maintain an invariant that all code running inside of the kernel has actually been signed and verified, by the kernel. This effort builds upon the currently excepted upstream solution. It further hardens it by providing deterministic, in-kernel checking of map hashes to solidify auditing along with preventing TOCTOU attacks against lskel map hashes. Target map hashes are passed in via PKCS#7 signed attributes. Hornet determines the extent which the eBFP program is signed and defers to other LSMs for policy decisions. Signed-off-by: Blaise Boscaccy <bboscaccy@linux.microsoft.com> Nacked-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> [PM: subject line tweak] Signed-off-by: Paul Moore <paul@paul-moore.com>