ima: check signature enforcement against cmdline param instead of CONFIG - linux

diff options

author	Bruno E. O. Meneguele <brdeoliv@redhat.com>	2017-10-24 19:37:01 +0200
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2017-11-08 21:16:36 +0100
commit	7c9bc0983f890ed9782e755a0e070930cd979333 (patch)
tree	ec73590d9c6cee188bdd2a1a29971cd9c472d756 /security/loadpin
parent	module: export module signature enforcement status (diff)
download	linux-7c9bc0983f890ed9782e755a0e070930cd979333.tar.xz linux-7c9bc0983f890ed9782e755a0e070930cd979333.zip

ima: check signature enforcement against cmdline param instead of CONFIG

When the user requests MODULE_CHECK policy and its kernel is compiled with CONFIG_MODULE_SIG_FORCE not set, all modules would not load, just those loaded in initram time. One option the user would have would be set a kernel cmdline param (module.sig_enforce) to true, but the IMA module check code doesn't rely on this value, it checks just CONFIG_MODULE_SIG_FORCE. This patch solves this problem checking for the exported value of module.sig_enforce cmdline param intead of CONFIG_MODULE_SIG_FORCE, which holds the effective value (CONFIG || param). Signed-off-by: Bruno E. O. Meneguele <brdeoliv@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

Diffstat (limited to 'security/loadpin')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: