ima: support new kernel module syscall

With the addition of the new kernel module syscall, which defines two
arguments - a file descriptor to the kernel module and a pointer to a NULL
terminated string of module arguments - it is now possible to measure and
appraise kernel modules like any other file on the file system.

This patch adds support to measure and appraise kernel modules in an
extensible and consistent manner.

To support filesystems without extended attribute support, additional
patches could pass the signature as the first parameter.

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

1 files changed, 2 insertions, 1 deletions

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 986946613542..ec0a38ef3145 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -23,7 +23,7 @@ Description:
                         lsm:    [[subj_user=] [subj_role=] [subj_type=]
                                  [obj_user=] [obj_role=] [obj_type=]]
 
-                base:   func:= [BPRM_CHECK][FILE_MMAP][FILE_CHECK]
+                base:   func:= [BPRM_CHECK][FILE_MMAP][FILE_CHECK][MODULE_CHECK]
                         mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
                         fsmagic:= hex value
                         uid:= decimal value
@@ -53,6 +53,7 @@ Description:
                         measure func=BPRM_CHECK
                         measure func=FILE_MMAP mask=MAY_EXEC
                         measure func=FILE_CHECK mask=MAY_READ uid=0
+                        measure func=MODULE_CHECK uid=0
                         appraise fowner=0
 
                 The default policy measures all executables in bprm_check,