ima: fallback to MODULE_SIG_ENFORCE for existing kernel module syscall

The new kernel module syscall appraises kernel modules based on policy. If the IMA policy requires kernel module checking, fallback to module signature enforcing for the existing syscall. Without CONFIG_MODULE_SIG_FORCE enabled, the kernel module's integrity is unknown, return -EACCES. Changelog v1: - Fix ima_module_check() return result (Tetsuo Handa) Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Reviewed-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
author: Mimi Zohar <zohar@linux.vnet.ibm.com> 2012-12-21 08:34:21 -0500
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2012-12-24 09:35:48 -0500
commit: a7f2a366f62319dfebf8d4dfe8b211f631c78457 (patch)
tree: 67e502cd2da52cc6c75d1fa9dcaed27fd05b86e2 /security/integrity/ima/ima.h
parent: a49f0d1ea3ec94fc7cf33a7c36a16343b74bd565 (diff)
download: linux-a7f2a366f62319dfebf8d4dfe8b211f631c78457.tar.bz2
1 files changed, 1 insertions, 0 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 3b2adb794f15..079a85dc37b2 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -139,6 +139,7 @@ void ima_delete_rules(void);
 /* Appraise integrity measurements */
 #define IMA_APPRAISE_ENFORCE	0x01
 #define IMA_APPRAISE_FIX	0x02
+#define IMA_APPRAISE_MODULES	0x04
 
 #ifdef CONFIG_IMA_APPRAISE
 int ima_appraise_measurement(struct integrity_iint_cache *iint,
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	2012-12-21 08:34:21 -0500
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2012-12-24 09:35:48 -0500
commit	a7f2a366f62319dfebf8d4dfe8b211f631c78457 (patch)
tree	67e502cd2da52cc6c75d1fa9dcaed27fd05b86e2 /security/integrity/ima/ima.h
parent	a49f0d1ea3ec94fc7cf33a7c36a16343b74bd565 (diff)
download	linux-a7f2a366f62319dfebf8d4dfe8b211f631c78457.tar.bz2