summaryrefslogtreecommitdiffstats
path: root/security/integrity/ima/ima_policy.c
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2012-12-21 14:34:21 +0100
committerMimi Zohar <zohar@linux.vnet.ibm.com>2012-12-24 15:35:48 +0100
commita7f2a366f62319dfebf8d4dfe8b211f631c78457 (patch)
tree67e502cd2da52cc6c75d1fa9dcaed27fd05b86e2 /security/integrity/ima/ima_policy.c
parentLinux 3.8-rc1 (diff)
downloadlinux-a7f2a366f62319dfebf8d4dfe8b211f631c78457.tar.xz
linux-a7f2a366f62319dfebf8d4dfe8b211f631c78457.zip
ima: fallback to MODULE_SIG_ENFORCE for existing kernel module syscall
The new kernel module syscall appraises kernel modules based on policy. If the IMA policy requires kernel module checking, fallback to module signature enforcing for the existing syscall. Without CONFIG_MODULE_SIG_FORCE enabled, the kernel module's integrity is unknown, return -EACCES. Changelog v1: - Fix ima_module_check() return result (Tetsuo Handa) Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Reviewed-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Diffstat (limited to 'security/integrity/ima/ima_policy.c')
-rw-r--r--security/integrity/ima/ima_policy.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index af7d182d5a46..479fca940bb5 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -523,7 +523,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
}
if (!result && (entry->action == UNKNOWN))
result = -EINVAL;
-
+ else if (entry->func == MODULE_CHECK)
+ ima_appraise |= IMA_APPRAISE_MODULES;
audit_log_format(ab, "res=%d", !result);
audit_log_end(ab);
return result;