In environments that require the kexec kernel image to be signed, prevent using the kexec_load syscall. In order for LSMs and IMA to differentiate between kexec_load and kexec_file_load syscalls, this patch set adds a call to security_kernel_read_file() in kexec_load_check(). Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> Mimi Zohar (3): ima: based on the "secure_boot" policy limit syscalls kexec: call LSM hook for kexec_load syscall ima: based on policy require signed kexec kernel images kernel/kexec.c | 11 +++++++++++ security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_main.c | 9 +++++++++ security/integrity/ima/ima_policy.c | 27 ++++++++++++++++++++------- 4 files changed, 41 insertions(+), 7 deletions(-) -- 2.7.5 _______________________________________________ kexec mailing list kexec@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/kexec
