ima: check signature enforcement against cmdline param instead of CONFIG
When the user requests MODULE_CHECK policy and its kernel is compiled with CONFIG_MODULE_SIG_FORCE not set, all modules would not load, just those loaded in initram time. One option the user would have would be set a kernel cmdline param (module.sig_enforce) to true, but the IMA module check code doesn't rely on this value, it checks just CONFIG_MODULE_SIG_FORCE. This patch solves this problem checking for the exported value of module.sig_enforce cmdline param intead of CONFIG_MODULE_SIG_FORCE, which holds the effective value (CONFIG || param). Signed-off-by: Bruno E. O. Meneguele <brdeoliv@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
parent
fda784e50a
commit
7c9bc0983f
|
@ -362,12 +362,12 @@ void ima_post_path_mknod(struct dentry *dentry)
|
|||
*/
|
||||
int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
|
||||
{
|
||||
bool sig_enforce = is_module_sig_enforced();
|
||||
|
||||
if (!file && read_id == READING_MODULE) {
|
||||
#ifndef CONFIG_MODULE_SIG_FORCE
|
||||
if ((ima_appraise & IMA_APPRAISE_MODULES) &&
|
||||
if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) &&
|
||||
(ima_appraise & IMA_APPRAISE_ENFORCE))
|
||||
return -EACCES; /* INTEGRITY_UNKNOWN */
|
||||
#endif
|
||||
return 0; /* We rely on module signature checking */
|
||||
}
|
||||
return 0;
|
||||
|
|
Loading…
Reference in New Issue
Block a user