summaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2015-12-30 13:35:30 +0100
committerMimi Zohar <zohar@linux.vnet.ibm.com>2016-02-21 15:06:12 +0100
commita1db74209483a24c861c848b4bb79a4d945ef6fa (patch)
tree4edf4c1a22e4a8446166366e5cee358c99e8fda0 /security/integrity
parentvfs: define kernel_copy_file_from_fd() (diff)
downloadlinux-a1db74209483a24c861c848b4bb79a4d945ef6fa.tar.xz
linux-a1db74209483a24c861c848b4bb79a4d945ef6fa.zip
module: replace copy_module_from_fd with kernel version
Replace copy_module_from_fd() with kernel_read_file_from_fd(). Although none of the upstreamed LSMs define a kernel_module_from_file hook, IMA is called, based on policy, to prevent unsigned kernel modules from being loaded by the original kernel module syscall and to measure/appraise signed kernel modules. The security function security_kernel_module_from_file() was called prior to reading a kernel module. Preventing unsigned kernel modules from being loaded by the original kernel module syscall remains on the pre-read kernel_read_file() security hook. Instead of reading the kernel module twice, once for measuring/appraising and again for loading the kernel module, the signature validation is moved to the kernel_post_read_file() security hook. This patch removes the security_kernel_module_from_file() hook and security call. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Luis R. Rodriguez <mcgrof@kernel.org> Cc: Rusty Russell <rusty@rustcorp.com.au>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/ima/ima_main.c35
1 files changed, 13 insertions, 22 deletions
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index bbb80df28fb1..5da0b9c00072 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -316,28 +316,6 @@ int ima_file_check(struct file *file, int mask, int opened)
EXPORT_SYMBOL_GPL(ima_file_check);
/**
- * ima_module_check - based on policy, collect/store/appraise measurement.
- * @file: pointer to the file to be measured/appraised
- *
- * Measure/appraise kernel modules based on policy.
- *
- * On success return 0. On integrity appraisal error, assuming the file
- * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
- */
-int ima_module_check(struct file *file)
-{
- if (!file) {
-#ifndef CONFIG_MODULE_SIG_FORCE
- if ((ima_appraise & IMA_APPRAISE_MODULES) &&
- (ima_appraise & IMA_APPRAISE_ENFORCE))
- return -EACCES; /* INTEGRITY_UNKNOWN */
-#endif
- return 0; /* We rely on module signature checking */
- }
- return process_measurement(file, NULL, 0, MAY_EXEC, MODULE_CHECK, 0);
-}
-
-/**
* ima_read_file - pre-measure/appraise hook decision based on policy
* @file: pointer to the file to be measured/appraised/audit
* @read_id: caller identifier
@@ -350,6 +328,14 @@ int ima_module_check(struct file *file)
*/
int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
{
+ if (!file && read_id == READING_MODULE) {
+#ifndef CONFIG_MODULE_SIG_FORCE
+ if ((ima_appraise & IMA_APPRAISE_MODULES) &&
+ (ima_appraise & IMA_APPRAISE_ENFORCE))
+ return -EACCES; /* INTEGRITY_UNKNOWN */
+#endif
+ return 0; /* We rely on module signature checking */
+ }
return 0;
}
@@ -378,6 +364,9 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
return 0;
}
+ if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */
+ return 0;
+
if (!file || !buf || size == 0) { /* should never happen */
if (ima_appraise & IMA_APPRAISE_ENFORCE)
return -EACCES;
@@ -386,6 +375,8 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
if (read_id == READING_FIRMWARE)
func = FIRMWARE_CHECK;
+ else if (read_id == READING_MODULE)
+ func = MODULE_CHECK;
return process_measurement(file, buf, size, MAY_READ, func, 0);
}