diff options
author | James Morris <james.l.morris@oracle.com> | 2013-01-07 12:11:37 +1100 |
---|---|---|
committer | James Morris <james.l.morris@oracle.com> | 2013-01-07 12:11:37 +1100 |
commit | ade24c93ab173b392a905ef8d510874dfb05a417 (patch) | |
tree | f984a9b428cdf1866566cf9dba808d8fcc60d468 | |
parent | 5f243b9b46a22e5790dbbc36f574c2417af49a41 (diff) | |
parent | a7f2a366f62319dfebf8d4dfe8b211f631c78457 (diff) |
Merge branch 'for-Linus' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into for-linus
Pulled from Mimi's tree.
-rw-r--r-- | security/integrity/ima/ima.h | 1 | ||||
-rw-r--r-- | security/integrity/ima/ima_main.c | 12 | ||||
-rw-r--r-- | security/integrity/ima/ima_policy.c | 3 |
3 files changed, 11 insertions, 5 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 3b2adb794f1..079a85dc37b 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -139,6 +139,7 @@ void ima_delete_rules(void); /* Appraise integrity measurements */ #define IMA_APPRAISE_ENFORCE 0x01 #define IMA_APPRAISE_FIX 0x02 +#define IMA_APPRAISE_MODULES 0x04 #ifdef CONFIG_IMA_APPRAISE int ima_appraise_measurement(struct integrity_iint_cache *iint, diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 45de18e9a6f..dba965de90d 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -291,11 +291,15 @@ EXPORT_SYMBOL_GPL(ima_file_check); */ int ima_module_check(struct file *file) { - int rc; + int rc = 0; - if (!file) - rc = INTEGRITY_UNKNOWN; - else + if (!file) { + if (ima_appraise & IMA_APPRAISE_MODULES) { +#ifndef CONFIG_MODULE_SIG_FORCE + rc = -EACCES; /* INTEGRITY_UNKNOWN */ +#endif + } + } else rc = process_measurement(file, file->f_dentry->d_name.name, MAY_EXEC, MODULE_CHECK); return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index af7d182d5a4..479fca940bb 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -523,7 +523,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) } if (!result && (entry->action == UNKNOWN)) result = -EINVAL; - + else if (entry->func == MODULE_CHECK) + ima_appraise |= IMA_APPRAISE_MODULES; audit_log_format(ab, "res=%d", !result); audit_log_end(ab); return result; |