3 files changed, 10 insertions, 3 deletions

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 6e69697fd530..a41c9c18e5e0 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -141,6 +141,7 @@ void ima_delete_rules(void);
 /* Appraise integrity measurements */
 #define IMA_APPRAISE_ENFORCE    0x01
 #define IMA_APPRAISE_FIX        0x02
+#define IMA_APPRAISE_MODULES    0x04
 
 #ifdef CONFIG_IMA_APPRAISE
 int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 3e751a9743a1..5127afcc4b89 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -282,8 +282,13 @@ EXPORT_SYMBOL_GPL(ima_file_check);
  */
 int ima_module_check(struct file *file)
 {
-        if (!file)
-                return -EACCES; /* INTEGRITY_UNKNOWN */
+        if (!file) {
+#ifndef CONFIG_MODULE_SIG_FORCE
+                if (ima_appraise & IMA_APPRAISE_MODULES)
+                        return -EACCES; /* INTEGRITY_UNKNOWN */
+#endif
+                return 0;       /* We rely on module signature checking */
+        }
         return process_measurement(file, file->f_dentry->d_name.name,
                                    MAY_EXEC, MODULE_CHECK);
 }
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 23f49e37a957..b27535a13a79 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -629,7 +629,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
         }
         if (!result && (entry->action == UNKNOWN))
                 result = -EINVAL;
-
+        else if (entry->func == MODULE_CHECK)
+                ima_appraise |= IMA_APPRAISE_MODULES;
         audit_log_format(ab, "res=%d", !result);
         audit_log_end(ab);
         return result;