12 years ago · 7991b03d65
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -139,6 +139,7 @@ void ima_delete_rules(void);
 
				 /* Appraise integrity measurements */
			
 
				 #define IMA_APPRAISE_ENFORCE	0x01
			
 
				 #define IMA_APPRAISE_FIX	0x02
			
 
				+#define IMA_APPRAISE_MODULES	0x04
			
 
				 
			
 
				 #ifdef CONFIG_IMA_APPRAISE
			
 
				 int ima_appraise_measurement(struct integrity_iint_cache *iint,
			
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -291,11 +291,15 @@ EXPORT_SYMBOL_GPL(ima_file_check);
 
				  */
			
 
				 int ima_module_check(struct file *file)
			
 
				 {
			
 
				-	int rc;
			
 
				+	int rc = 0;
			
 
				 
			
 
				-	if (!file)
			
 
				-		rc = INTEGRITY_UNKNOWN;
			
 
				-	else
			
 
				+	if (!file) {
			
 
				+		if (ima_appraise & IMA_APPRAISE_MODULES) {
			
 
				+#ifndef CONFIG_MODULE_SIG_FORCE
			
 
				+			rc = -EACCES;	/* INTEGRITY_UNKNOWN */
			
 
				+#endif
			
 
				+		}
			
 
				+	} else
			
 
				 		rc = process_measurement(file, file->f_dentry->d_name.name,
			
 
				 					 MAY_EXEC, MODULE_CHECK);
			
 
				 	return (ima_appraise & IMA_APPRAISE_ENFORCE) ? rc : 0;
			
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -523,7 +523,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 
				 	}
			
 
				 	if (!result && (entry->action == UNKNOWN))
			
 
				 		result = -EINVAL;
			
 
				-
			
 
				+	else if (entry->func == MODULE_CHECK)
			
 
				+		ima_appraise |= IMA_APPRAISE_MODULES;
			
 
				 	audit_log_format(ab, "res=%d", !result);
			
 
				 	audit_log_end(ab);
			
 
				 	return result;