3 files changed, 11 insertions, 5 deletions
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 3b2adb794f15..079a85dc37b2 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -139,6 +139,7 @@ void ima_delete_rules(void);
 /* Appraise integrity measurements */
 #define IMA_APPRAISE_ENFORCE    0x01
 #define IMA_APPRAISE_FIX        0x02
+#define IMA_APPRAISE_MODULES    0x04
 #ifdef CONFIG_IMA_APPRAISE
 int ima_appraise_measurement(struct integrity_iint_cache *iint,
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 45de18e9a6f2..dba965de90d3 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -291,11 +291,15 @@ EXPORT_SYMBOL_GPL(ima_file_check);
 */
 int ima_module_check(struct file *file)
 {
-        int rc;
+        int rc = 0;
-        if (!file)
+        if (!file) {
-                rc = INTEGRITY_UNKNOWN;
+                if (ima_appraise & IMA_APPRAISE_MODULES) {
-        else
+#ifndef CONFIG_MODULE_SIG_FORCE
+                        rc = -EACCES;   /* INTEGRITY_UNKNOWN */
+#endif
+                }
+        } else
                rc = process_measurement(file, file->f_dentry->d_name.name,
                                         MAY_EXEC, MODULE_CHECK);
        return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0;
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index af7d182d5a46..479fca940bb5 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -523,7 +523,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
        }
        if (!result && (entry->action == UNKNOWN))
                result = -EINVAL;
+        else if (entry->func == MODULE_CHECK)
+                ima_appraise |= IMA_APPRAISE_MODULES;
        audit_log_format(ab, "res=%d", !result);
        audit_log_end(ab);
        return result;

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 3b2adb794f15..079a85dc37b2 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h
@@ -139,6 +139,7 @@ void ima_delete_rules(void);
139	/* Appraise integrity measurements */	139	/* Appraise integrity measurements */
140	#define IMA_APPRAISE_ENFORCE 0x01	140	#define IMA_APPRAISE_ENFORCE 0x01
141	#define IMA_APPRAISE_FIX 0x02	141	#define IMA_APPRAISE_FIX 0x02
		142	#define IMA_APPRAISE_MODULES 0x04
142		143
143	#ifdef CONFIG_IMA_APPRAISE	144	#ifdef CONFIG_IMA_APPRAISE
144	int ima_appraise_measurement(struct integrity_iint_cache *iint,	145	int ima_appraise_measurement(struct integrity_iint_cache *iint,


diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 45de18e9a6f2..dba965de90d3 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c
@@ -291,11 +291,15 @@ EXPORT_SYMBOL_GPL(ima_file_check);
291	*/	291	*/
292	int ima_module_check(struct file *file)	292	int ima_module_check(struct file *file)
293	{	293	{
294	int rc;	294	int rc = 0;
295		295
296	if (!file)	296	if (!file) {
297	rc = INTEGRITY_UNKNOWN;	297	if (ima_appraise & IMA_APPRAISE_MODULES) {
298	else	298	#ifndef CONFIG_MODULE_SIG_FORCE
		299	rc = -EACCES; /* INTEGRITY_UNKNOWN */
		300	#endif
		301	}
		302	} else
299	rc = process_measurement(file, file->f_dentry->d_name.name,	303	rc = process_measurement(file, file->f_dentry->d_name.name,
300	MAY_EXEC, MODULE_CHECK);	304	MAY_EXEC, MODULE_CHECK);
301	return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0;	305	return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0;


diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index af7d182d5a46..479fca940bb5 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c
@@ -523,7 +523,8 @@ static int ima_parse_rule(char rule, struct ima_rule_entry entry)
523	}	523	}
524	if (!result && (entry->action == UNKNOWN))	524	if (!result && (entry->action == UNKNOWN))
525	result = -EINVAL;	525	result = -EINVAL;
526		526	else if (entry->func == MODULE_CHECK)
		527	ima_appraise \|= IMA_APPRAISE_MODULES;
527	audit_log_format(ab, "res=%d", !result);	528	audit_log_format(ab, "res=%d", !result);
528	audit_log_end(ab);	529	audit_log_end(ab);
529	return result;	530	return result;