ima: fallback to MODULE_SIG_ENFORCE for existing kernel module syscall (a7f2a366) · Commits · e / devices / android_kernel_teracube_2e

security/integrity/ima/ima.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -139,6 +139,7 @@ void ima_delete_rules(void);
		/* Appraise integrity measurements */
		#define IMA_APPRAISE_ENFORCE 0x01
		#define IMA_APPRAISE_FIX 0x02
		#define IMA_APPRAISE_MODULES 0x04

		#ifdef CONFIG_IMA_APPRAISE
		int ima_appraise_measurement(struct integrity_iint_cache *iint,

+8 −4

Original line number	Diff line number	Diff line
		@@ -291,11 +291,15 @@ EXPORT_SYMBOL_GPL(ima_file_check);
		*/
		int ima_module_check(struct file *file)
		{
		int rc;
		int rc = 0;

		if (!file)
		rc = INTEGRITY_UNKNOWN;
		else
		if (!file) {
		if (ima_appraise & IMA_APPRAISE_MODULES) {
		#ifndef CONFIG_MODULE_SIG_FORCE
		rc = -EACCES; /* INTEGRITY_UNKNOWN */
		#endif
		}
		} else
		rc = process_measurement(file, file->f_dentry->d_name.name,
		MAY_EXEC, MODULE_CHECK);
		return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0;

+2 −1

Original line number	Diff line number	Diff line
		@@ -523,7 +523,8 @@ static int ima_parse_rule(char rule, struct ima_rule_entry entry)
		}
		if (!result && (entry->action == UNKNOWN))
		result = -EINVAL;

		else if (entry->func == MODULE_CHECK)
		ima_appraise \|= IMA_APPRAISE_MODULES;
		audit_log_format(ab, "res=%d", !result);
		audit_log_end(ab);
		return result;