projects / linux / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: fda784e) | patch
ima: check signature enforcement against cmdline param instead of CONFIG
authorBruno E. O. Meneguele <brdeoliv@redhat.com>
Tue, 24 Oct 2017 17:37:01 +0000 (15:37 -0200)
committerMimi Zohar <zohar@linux.vnet.ibm.com>
Wed, 8 Nov 2017 20:16:36 +0000 (15:16 -0500)
commit7c9bc0983f890ed9782e755a0e070930cd979333
treeec73590d9c6cee188bdd2a1a29971cd9c472d756tree | snapshot
parentfda784e50aace694ec2e4e16e2de07b91a938563commit | diff
ima: check signature enforcement against cmdline param instead of CONFIG

When the user requests MODULE_CHECK policy and its kernel is compiled
with CONFIG_MODULE_SIG_FORCE not set, all modules would not load, just
those loaded in initram time. One option the user would have would be
set a kernel cmdline param (module.sig_enforce) to true, but the IMA
module check code doesn't rely on this value, it checks just
CONFIG_MODULE_SIG_FORCE.

This patch solves this problem checking for the exported value of
module.sig_enforce cmdline param intead of CONFIG_MODULE_SIG_FORCE,
which holds the effective value (CONFIG || param).

Signed-off-by: Bruno E. O. Meneguele <brdeoliv@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
security/integrity/ima/ima_main.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.