On Thu, 2016-02-04 at 20:56 +0100, Luis R. Rodriguez wrote: > On Wed, Feb 03, 2016 at 02:06:24PM -0500, Mimi Zohar wrote: > > Replace copy_module_from_fd() with kernel_read_file_from_fd(). > > > > Although none of the upstreamed LSMs define a kernel_module_from_file > > hook, IMA is called, based on policy, to prevent unsigned kernel modules > > from being loaded by the original kernel module syscall and to > > measure/appraise signed kernel modules. > > > > The security function security_kernel_module_from_file() was called prior > > to reading a kernel module. Preventing unsigned kernel modules from being > > loaded by the original kernel module syscall remains on the pre-read > > kernel_read_file() security hook. Instead of reading the kernel module > > twice, once for measuring/appraising and again for loading the kernel > > module, the signature validation is moved to the kernel_post_read_file() > > security hook. > > > > This patch removes the security_kernel_module_from_file() hook and security > > call. > > > > Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com> > > Acked-by: Luis R. Rodriguez <mcgrof at kernel.org> Thank you for reviewing the patches! Mimi
