hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux-sg2042/security/integrity/ima
History
Mimi Zohar a1db742094 module: replace copy_module_from_fd with kernel version 
Replace copy_module_from_fd() with kernel_read_file_from_fd().

Although none of the upstreamed LSMs define a kernel_module_from_file
hook, IMA is called, based on policy, to prevent unsigned kernel modules
from being loaded by the original kernel module syscall and to
measure/appraise signed kernel modules.

The security function security_kernel_module_from_file() was called prior
to reading a kernel module.  Preventing unsigned kernel modules from being
loaded by the original kernel module syscall remains on the pre-read
kernel_read_file() security hook.  Instead of reading the kernel module
twice, once for measuring/appraising and again for loading the kernel
module, the signature validation is moved to the kernel_post_read_file()
security hook.

This patch removes the security_kernel_module_from_file() hook and security
call.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Luis R. Rodriguez <mcgrof@kernel.org>
Cc: Rusty Russell <rusty@rustcorp.com.au>
 		2016-02-21 09:06:12 -05:00
..
Kconfig IMA: allow reading back the current IMA policy 2015-12-15 10:01:43 -05:00
Makefile IMA: create machine owner and blacklist keyrings 2015-12-15 10:01:43 -05:00
ima.h ima: define a new hook to measure and appraise a file already in memory 2016-02-20 22:35:08 -05:00
ima_api.c ima: define a new hook to measure and appraise a file already in memory 2016-02-20 22:35:08 -05:00
ima_appraise.c ima: define a new hook to measure and appraise a file already in memory 2016-02-20 22:35:08 -05:00
ima_crypto.c ima: calculate the hash of a buffer using aynchronous hash(ahash) 2016-02-18 17:14:44 -05:00
ima_fs.c ima: ima_write_policy() limit locking 2016-01-03 13:22:38 -05:00
ima_init.c ima: separate 'security.ima' reading functionality from collect 2016-02-18 17:13:32 -05:00
ima_main.c module: replace copy_module_from_fd with kernel version 2016-02-21 09:06:12 -05:00
ima_mok.c security/integrity: make ima/ima_mok.c explicitly non-modular 2015-12-15 10:01:43 -05:00
ima_policy.c ima: define a new hook to measure and appraise a file already in memory 2016-02-20 22:35:08 -05:00
ima_queue.c integrity: fix checkpatch errors 2014-03-07 12:15:45 -05:00
ima_template.c ima: separate 'security.ima' reading functionality from collect 2016-02-18 17:13:32 -05:00
ima_template_lib.c ima: separate 'security.ima' reading functionality from collect 2016-02-18 17:13:32 -05:00
ima_template_lib.h ima: wrap event related data to the new ima_event_data structure 2015-05-21 13:59:28 -04:00