On Thu, 2017-10-19 at 17:31 -0200, Bruno E. O. Meneguele wrote: > On 19-10, Mimi Zohar wrote: > > > Right, but it's also possible to note that CONFIG_MODULE_SIG_FORCE is > > > handled on kernel/module.c and has a kernel cmdline param, > > > module.sig_enforce, that is read in case CONFIG_MODULE_SIG_FORCE is not > > > set. Wouldn't be better ima_read_file depend on this cmdline param > > > instead directly on the CONFIG? That way kernels compiled without > > > CONFIG_MODULE_SIG_FORCE set as default would have the option to enable > > > the kernel param and use their normal policy (MODULE_CHECK). > > > > > > What do you think? > > > > I wasn't aware of the module_param. Thank you for pointing it out. > > "sig_enforce" is currently defined as static. Should it be defined > > as __initdata? > > > > Well, at first I thought it could stay as it is and just create a > "getter" function, like "is_module_sig_enforced()", and use it on > ima_main.c through module.h, since this code would be called to every > module loaded in runtime. > > If it's ok to you I can try to write a patch against integrity-next and > see how it behaves. Thanks!
