76c11d9b55
- Reenable debugging options.
60 lines
1.6 KiB
Diff
60 lines
1.6 KiB
Diff
From: Matthew Garrett <matthew.garrett@nebula.com>
|
|
Date: Fri, 9 Aug 2013 17:58:15 -0400
|
|
Subject: [PATCH] Add secure_modules() call
|
|
|
|
Provide a single call to allow kernel code to determine whether the system
|
|
has been configured to either disable module loading entirely or to load
|
|
only modules signed with a trusted key.
|
|
|
|
Bugzilla: N/A
|
|
Upstream-status: Fedora mustard. Replaced by securelevels, but that was nak'd
|
|
|
|
Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
|
|
---
|
|
include/linux/module.h | 6 ++++++
|
|
kernel/module.c | 10 ++++++++++
|
|
2 files changed, 16 insertions(+)
|
|
|
|
diff --git a/include/linux/module.h b/include/linux/module.h
|
|
index 7ffe0851d244..3da68fd1f657 100644
|
|
--- a/include/linux/module.h
|
|
+++ b/include/linux/module.h
|
|
@@ -515,6 +515,8 @@ static inline bool module_requested_async_probing(struct module *module)
|
|
return module && module->async_probe_requested;
|
|
}
|
|
|
|
+extern bool secure_modules(void);
|
|
+
|
|
#else /* !CONFIG_MODULES... */
|
|
|
|
/* Given an address, look for it in the exception tables. */
|
|
@@ -631,6 +633,10 @@ static inline bool module_requested_async_probing(struct module *module)
|
|
return false;
|
|
}
|
|
|
|
+static inline bool secure_modules(void)
|
|
+{
|
|
+ return false;
|
|
+}
|
|
#endif /* CONFIG_MODULES */
|
|
|
|
#ifdef CONFIG_SYSFS
|
|
diff --git a/kernel/module.c b/kernel/module.c
|
|
index f80a97f7da1f..5d3e6c6191fa 100644
|
|
--- a/kernel/module.c
|
|
+++ b/kernel/module.c
|
|
@@ -3925,3 +3925,13 @@ void module_layout(struct module *mod,
|
|
}
|
|
EXPORT_SYMBOL(module_layout);
|
|
#endif
|
|
+
|
|
+bool secure_modules(void)
|
|
+{
|
|
+#ifdef CONFIG_MODULE_SIG
|
|
+ return (sig_enforce || modules_disabled);
|
|
+#else
|
|
+ return modules_disabled;
|
|
+#endif
|
|
+}
|
|
+EXPORT_SYMBOL(secure_modules);
|