On 19-10, Mimi Zohar wrote: > On Thu, 2017-10-19 at 17:31 -0200, Bruno E. O. Meneguele wrote: > > On 19-10, Mimi Zohar wrote: > > > > > Right, but it's also possible to note that CONFIG_MODULE_SIG_FORCE is > > > > handled on kernel/module.c and has a kernel cmdline param, > > > > module.sig_enforce, that is read in case CONFIG_MODULE_SIG_FORCE is not > > > > set. Wouldn't be better ima_read_file depend on this cmdline param > > > > instead directly on the CONFIG? That way kernels compiled without > > > > CONFIG_MODULE_SIG_FORCE set as default would have the option to enable > > > > the kernel param and use their normal policy (MODULE_CHECK). > > > > > > > > What do you think? > > > > > > I wasn't aware of the module_param. Thank you for pointing it out. > > > "sig_enforce" is currently defined as static. Should it be defined > > > as __initdata? > > > > > > > Well, at first I thought it could stay as it is and just create a > > "getter" function, like "is_module_sig_enforced()", and use it on > > ima_main.c through module.h, since this code would be called to every > > module loaded in runtime. > > > > If it's ok to you I can try to write a patch against integrity-next and > > see how it behaves. > > Thanks! > Patchset posted: http://www.spinics.net/lists/linux-integrity/msg00398.html Any feedback is welcome :). Thanks Mimi. -- bmeneg PGP Key: http://bmeneg.com/pubkey.txt
Attachment:
signature.asc
Description: PGP signature
