luck/tmp_suning_uos_patched
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b5ca117365
tmp_suning_uos_patched/security/integrity
History
Nayna Jain b5ca117365 ima: prevent kexec_load syscall based on runtime secureboot flag 
When CONFIG_KEXEC_VERIFY_SIG is enabled, the kexec_file_load syscall
requires the kexec'd kernel image to be signed. Distros are concerned
about totally disabling the kexec_load syscall. As a compromise, the
kexec_load syscall will only be disabled when CONFIG_KEXEC_VERIFY_SIG
is configured and the system is booted with secureboot enabled.

This patch disables the kexec_load syscall only for systems booted with
secureboot enabled.

[zohar@linux.ibm.com: add missing mesage on kexec_load failure]
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Peter Jones <pjones@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Dave Young <dyoung@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2018-12-11 07:10:33 -05:00
..
evm security/integrity: constify some read-only data 2018-10-10 12:56:15 -04:00
ima ima: prevent kexec_load syscall based on runtime secureboot flag 2018-12-11 07:10:33 -05:00
digsig_asymmetric.c integrity: support new struct public_key_signature encoding field 2018-11-13 07:37:42 -05:00
digsig.c security/integrity: remove unnecessary 'init_keyring' variable 2018-10-10 12:56:15 -04:00
iint.c LSM: Record LSM name in struct lsm_info 2018-10-10 20:40:22 -07:00
integrity_audit.c ima: Use audit_log_format() rather than audit_log_string() 2018-07-18 07:27:22 -04:00
integrity.h ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set 2018-07-18 07:27:22 -04:00
Kconfig
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00