diff options
| author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2018-07-13 14:05:58 -0400 |
|---|---|---|
| committer | James Morris <james.morris@microsoft.com> | 2018-07-16 15:31:57 -0400 |
| commit | 16c267aac86b463b1fcccd43c89f4c8e5c5c86fa (patch) | |
| tree | 550e6fcb00d732a3c018b3258302f8ffd61a4379 /security/security.c | |
| parent | a210fd32a46bae6d05b43860fe3b47732501d63b (diff) | |
ima: based on policy require signed kexec kernel images
The original kexec_load syscall can not verify file signatures, nor can
the kexec image be measured. Based on policy, deny the kexec_load
syscall.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Kees Cook <keescook@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
Diffstat (limited to 'security/security.c')
| -rw-r--r-- | security/security.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/security/security.c b/security/security.c index c2de2f134854..4927e7cc7d96 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -1058,7 +1058,12 @@ EXPORT_SYMBOL_GPL(security_kernel_post_read_file); | |||
| 1058 | 1058 | ||
| 1059 | int security_kernel_load_data(enum kernel_load_data_id id) | 1059 | int security_kernel_load_data(enum kernel_load_data_id id) |
| 1060 | { | 1060 | { |
| 1061 | return call_int_hook(kernel_load_data, 0, id); | 1061 | int ret; |
| 1062 | |||
| 1063 | ret = call_int_hook(kernel_load_data, 0, id); | ||
| 1064 | if (ret) | ||
| 1065 | return ret; | ||
| 1066 | return ima_load_data(id); | ||
| 1062 | } | 1067 | } |
| 1063 | 1068 | ||
| 1064 | int security_task_fix_setuid(struct cred *new, const struct cred *old, | 1069 | int security_task_fix_setuid(struct cred *new, const struct cred *old, |