On Wed, Feb 03, 2016 at 02:06:24PM -0500, Mimi Zohar wrote: > Replace copy_module_from_fd() with kernel_read_file_from_fd(). > > Although none of the upstreamed LSMs define a kernel_module_from_file > hook, IMA is called, based on policy, to prevent unsigned kernel modules > from being loaded by the original kernel module syscall and to > measure/appraise signed kernel modules. > > The security function security_kernel_module_from_file() was called prior > to reading a kernel module. Preventing unsigned kernel modules from being > loaded by the original kernel module syscall remains on the pre-read > kernel_read_file() security hook. Instead of reading the kernel module > twice, once for measuring/appraising and again for loading the kernel > module, the signature validation is moved to the kernel_post_read_file() > security hook. > > This patch removes the security_kernel_module_from_file() hook and security > call. > > Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com> Acked-by: Luis R. Rodriguez <mcgrof at kernel.org> Luis
