Re: IMA appraisal against xz-compressed modules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2017-10-19 at 17:31 -0200, Bruno E. O. Meneguele wrote:
> On 19-10, Mimi Zohar wrote:
 
> > > Right, but it's also possible to note that CONFIG_MODULE_SIG_FORCE is
> > > handled on kernel/module.c and has a kernel cmdline param,
> > > module.sig_enforce, that is read in case CONFIG_MODULE_SIG_FORCE is not
> > > set. Wouldn't be better ima_read_file depend on this cmdline param
> > > instead directly on the CONFIG? That way kernels compiled without
> > > CONFIG_MODULE_SIG_FORCE set as default would have the option to enable
> > > the kernel param and use their normal policy (MODULE_CHECK).
> > > 
> > > What do you think?
> > 
> > I wasn't aware of the module_param.  Thank you for pointing it out.
> >  "sig_enforce" is currently defined as static.  Should it be defined
> > as __initdata?
> > 
> 
> Well, at first I thought it could stay as it is and just create a
> "getter" function, like "is_module_sig_enforced()", and use it on
> ima_main.c through module.h, since this code would be called to every
> module loaded in runtime.
> 
> If it's ok to you I can try to write a patch against integrity-next and
> see how it behaves.

Thanks!




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux