Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull integrity subsystem regression fix from James Morris:
"Commit fdf90729e5
"ima: support new kernel module syscall" by error
modified init_module() to return INTEGRITY_UNKNOWN (which is 4) to
user space if the kernel was built with CONFIG_IMA_APPRAISE=y.
As a result, user space can no longer load kernel modules using
init_module(). This commit fixes this regression."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
ima: fallback to MODULE_SIG_ENFORCE for existing kernel module syscall
This commit is contained in:
commit
7991b03d65
@ -139,6 +139,7 @@ void ima_delete_rules(void);
|
||||
/* Appraise integrity measurements */
|
||||
#define IMA_APPRAISE_ENFORCE 0x01
|
||||
#define IMA_APPRAISE_FIX 0x02
|
||||
#define IMA_APPRAISE_MODULES 0x04
|
||||
|
||||
#ifdef CONFIG_IMA_APPRAISE
|
||||
int ima_appraise_measurement(struct integrity_iint_cache *iint,
|
||||
|
@ -291,11 +291,15 @@ EXPORT_SYMBOL_GPL(ima_file_check);
|
||||
*/
|
||||
int ima_module_check(struct file *file)
|
||||
{
|
||||
int rc;
|
||||
int rc = 0;
|
||||
|
||||
if (!file)
|
||||
rc = INTEGRITY_UNKNOWN;
|
||||
else
|
||||
if (!file) {
|
||||
if (ima_appraise & IMA_APPRAISE_MODULES) {
|
||||
#ifndef CONFIG_MODULE_SIG_FORCE
|
||||
rc = -EACCES; /* INTEGRITY_UNKNOWN */
|
||||
#endif
|
||||
}
|
||||
} else
|
||||
rc = process_measurement(file, file->f_dentry->d_name.name,
|
||||
MAY_EXEC, MODULE_CHECK);
|
||||
return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0;
|
||||
|
@ -523,7 +523,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
|
||||
}
|
||||
if (!result && (entry->action == UNKNOWN))
|
||||
result = -EINVAL;
|
||||
|
||||
else if (entry->func == MODULE_CHECK)
|
||||
ima_appraise |= IMA_APPRAISE_MODULES;
|
||||
audit_log_format(ab, "res=%d", !result);
|
||||
audit_log_end(ab);
|
||||
return result;
|
||||
|
Loading…
Reference in New Issue
Block a user