summaryrefslogtreecommitdiffstats
path: root/security/security.c
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2015-12-30 13:35:30 +0100
committerMimi Zohar <zohar@linux.vnet.ibm.com>2016-02-21 15:06:12 +0100
commita1db74209483a24c861c848b4bb79a4d945ef6fa (patch)
tree4edf4c1a22e4a8446166366e5cee358c99e8fda0 /security/security.c
parentvfs: define kernel_copy_file_from_fd() (diff)
downloadlinux-a1db74209483a24c861c848b4bb79a4d945ef6fa.tar.xz
linux-a1db74209483a24c861c848b4bb79a4d945ef6fa.zip
module: replace copy_module_from_fd with kernel version
Replace copy_module_from_fd() with kernel_read_file_from_fd(). Although none of the upstreamed LSMs define a kernel_module_from_file hook, IMA is called, based on policy, to prevent unsigned kernel modules from being loaded by the original kernel module syscall and to measure/appraise signed kernel modules. The security function security_kernel_module_from_file() was called prior to reading a kernel module. Preventing unsigned kernel modules from being loaded by the original kernel module syscall remains on the pre-read kernel_read_file() security hook. Instead of reading the kernel module twice, once for measuring/appraising and again for loading the kernel module, the signature validation is moved to the kernel_post_read_file() security hook. This patch removes the security_kernel_module_from_file() hook and security call. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Luis R. Rodriguez <mcgrof@kernel.org> Cc: Rusty Russell <rusty@rustcorp.com.au>
Diffstat (limited to 'security/security.c')
-rw-r--r--security/security.c12
1 files changed, 0 insertions, 12 deletions
diff --git a/security/security.c b/security/security.c
index 8e699f98a600..3644b0344d29 100644
--- a/security/security.c
+++ b/security/security.c
@@ -889,16 +889,6 @@ int security_kernel_module_request(char *kmod_name)
return call_int_hook(kernel_module_request, 0, kmod_name);
}
-int security_kernel_module_from_file(struct file *file)
-{
- int ret;
-
- ret = call_int_hook(kernel_module_from_file, 0, file);
- if (ret)
- return ret;
- return ima_module_check(file);
-}
-
int security_kernel_read_file(struct file *file, enum kernel_read_file_id id)
{
int ret;
@@ -1705,8 +1695,6 @@ struct security_hook_heads security_hook_heads = {
LIST_HEAD_INIT(security_hook_heads.kernel_create_files_as),
.kernel_module_request =
LIST_HEAD_INIT(security_hook_heads.kernel_module_request),
- .kernel_module_from_file =
- LIST_HEAD_INIT(security_hook_heads.kernel_module_from_file),
.kernel_read_file =
LIST_HEAD_INIT(security_hook_heads.kernel_read_file),
.kernel_post_read_file =