Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull integrity subsystem regression fix from James Morris:
"Commit fdf90729e578 "ima: support new kernel module syscall" by error
modified init_module() to return INTEGRITY_UNKNOWN (which is 4) to
user space if the kernel was built with CONFIG_IMA_APPRAISE=y.
As a result, user space can no longer load kernel modules using
init_module(). This commit fixes this regression."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
ima: fallback to MODULE_SIG_ENFORCE for existing kernel module syscall
+11
-5
+1
security/integrity/ima/ima.h
+1
security/integrity/ima/ima.h
+8
-4
security/integrity/ima/ima_main.c
+8
-4
security/integrity/ima/ima_main.c
···
291
291
*/
292
292
int ima_module_check(struct file *file)
293
293
{
294
-
int rc;
294
+
int rc = 0;
295
295
296
-
if (!file)
297
-
rc = INTEGRITY_UNKNOWN;
298
-
else
296
+
if (!file) {
297
+
if (ima_appraise & IMA_APPRAISE_MODULES) {
298
+
#ifndef CONFIG_MODULE_SIG_FORCE
299
+
rc = -EACCES; /* INTEGRITY_UNKNOWN */
300
+
#endif
301
+
}
302
+
} else
299
303
rc = process_measurement(file, file->f_dentry->d_name.name,
300
304
MAY_EXEC, MODULE_CHECK);
301
305
return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0;
+2
-1
security/integrity/ima/ima_policy.c
+2
-1
security/integrity/ima/ima_policy.c