summaryrefslogtreecommitdiff
path: root/security/security.c
diff options
context:
space:
mode:
authorMimi Zohar <zohar@linux.vnet.ibm.com>2018-07-13 14:05:58 -0400
committerJames Morris <james.morris@microsoft.com>2018-07-16 12:31:57 -0700
commit16c267aac86b463b1fcccd43c89f4c8e5c5c86fa (patch)
tree550e6fcb00d732a3c018b3258302f8ffd61a4379 /security/security.c
parenta210fd32a46bae6d05b43860fe3b47732501d63b (diff)
downloadlwn-16c267aac86b463b1fcccd43c89f4c8e5c5c86fa.tar.gz
lwn-16c267aac86b463b1fcccd43c89f4c8e5c5c86fa.zip
ima: based on policy require signed kexec kernel images
The original kexec_load syscall can not verify file signatures, nor can the kexec image be measured. Based on policy, deny the kexec_load syscall. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Eric Biederman <ebiederm@xmission.com> Cc: Kees Cook <keescook@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com>
Diffstat (limited to 'security/security.c')
-rw-r--r--security/security.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/security/security.c b/security/security.c
index c2de2f134854..4927e7cc7d96 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1058,7 +1058,12 @@ EXPORT_SYMBOL_GPL(security_kernel_post_read_file);
int security_kernel_load_data(enum kernel_load_data_id id)
{
- return call_int_hook(kernel_load_data, 0, id);
+ int ret;
+
+ ret = call_int_hook(kernel_load_data, 0, id);
+ if (ret)
+ return ret;
+ return ima_load_data(id);
}
int security_task_fix_setuid(struct cred *new, const struct cred *old,