forked from Minki/linux
a1db742094
Replace copy_module_from_fd() with kernel_read_file_from_fd(). Although none of the upstreamed LSMs define a kernel_module_from_file hook, IMA is called, based on policy, to prevent unsigned kernel modules from being loaded by the original kernel module syscall and to measure/appraise signed kernel modules. The security function security_kernel_module_from_file() was called prior to reading a kernel module. Preventing unsigned kernel modules from being loaded by the original kernel module syscall remains on the pre-read kernel_read_file() security hook. Instead of reading the kernel module twice, once for measuring/appraising and again for loading the kernel module, the signature validation is moved to the kernel_post_read_file() security hook. This patch removes the security_kernel_module_from_file() hook and security call. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Luis R. Rodriguez <mcgrof@kernel.org> Cc: Rusty Russell <rusty@rustcorp.com.au> |
||
---|---|---|
.. | ||
ima_api.c | ||
ima_appraise.c | ||
ima_crypto.c | ||
ima_fs.c | ||
ima_init.c | ||
ima_main.c | ||
ima_mok.c | ||
ima_policy.c | ||
ima_queue.c | ||
ima_template_lib.c | ||
ima_template_lib.h | ||
ima_template.c | ||
ima.h | ||
Kconfig | ||
Makefile |