1 files changed, 10 insertions, 0 deletions

diff --git a/fs/exec.c b/fs/exec.c
index 0dd60a01f1b4..febfd8ed6ad1 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -45,6 +45,7 @@
 #include <linux/proc_fs.h>
 #include <linux/mount.h>
 #include <linux/security.h>
+#include <linux/ima.h>
 #include <linux/syscalls.h>
 #include <linux/tsacct_kern.h>
 #include <linux/cn_proc.h>
@@ -127,6 +128,9 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
                                  MAY_READ | MAY_EXEC | MAY_OPEN);
         if (error)
                 goto exit;
+        error = ima_path_check(&nd.path, MAY_READ | MAY_EXEC | MAY_OPEN);
+        if (error)
+                goto exit;
 
         file = nameidata_to_filp(&nd, O_RDONLY|O_LARGEFILE);
         error = PTR_ERR(file);
@@ -674,6 +678,9 @@ struct file *open_exec(const char *name)
         err = inode_permission(nd.path.dentry->d_inode, MAY_EXEC | MAY_OPEN);
         if (err)
                 goto out_path_put;
+        err = ima_path_check(&nd.path, MAY_EXEC | MAY_OPEN);
+        if (err)
+                goto out_path_put;
 
         file = nameidata_to_filp(&nd, O_RDONLY|O_LARGEFILE);
         if (IS_ERR(file))
@@ -1168,6 +1175,9 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
         retval = security_bprm_check(bprm);
         if (retval)
                 return retval;
+        retval = ima_bprm_check(bprm);
+        if (retval)
+                return retval;
 
         /* kernel module loader fixup */
         /* so we don't try to load run modprobe in kernel space. */